Linux kernel Audit support

kanishka.dutta · 03-21-2013, 05:51 AM

I have enabled the Linux kernel audit support and am able to get the audit.log file properly.

But I need to check for a particular scenario where my Linux machine goes to deep sleep and then wakes up from that state. I need to collect the logs during this transition. Meaning to say - I would like to audit which files/processes is getting audited during this transition (wake up from deep sleep).

Please let me know what else I should do along with enabling the Linux kernel audit support?

unSpawn · 03-22-2013, 02:52 AM

Quote:

Originally Posted by kanishka.dutta

(..) I would like to audit which files/processes is getting audited during this transition (wake up from deep sleep).

Which files and processes are getting audited depends on your audit.rules contents and if those rules are loaded. Your problem is that while the audit service doesn't run messages (should) get pushed to syslog instead of audit.log and additionally that until the Syslog service runs it won't store messages anyway. Increasing the message buffer may help to some extent.

kanishka.dutta · 04-10-2013, 04:57 AM

Thanks for the response.

I am able to get the audit.log(s) files now. I would like to know, why is there no daemon process entries in the log file? Is there any specific settings/configurations that we need to do, in order to track the daemon processes as well?

Please guide ...