Auditd file logging not logging daemon processes
 

Currently I am using Auditd file logging system , but it is not logging the changes done by daemon processes.
Is there any specific rule to do so, or is it not supported ??

What is your current rule set ('auditctl -l'), how early in the boot process is auditd started and what is your test scenario?

Ruleset is on root partition itself with read write permissions.
auditd is started with booting of Rootfs , just after kernel boot.

Marvelous: half of my questions answered.
Now, what is your current rule set ('auditctl -l') and what is your test scenario?
*Don't be afraid to ask for clarification if you do not understand what I'm asking for.

"auditctl -l"
>> LIST_RULES: exit,always dir=/ (0x1) perm=w

Test Scenario :
>> List all the process and the file access during bootup for 2mins.

So in this case, I want to know the settings or configurations to capture the daemon process as well.

'man auditctl' says something about how to interpret "-p" usage in general and read and write syscalls specifically.


QUOTE=Charles Darwin;4937829]List all the process and the file access during bootup for 2mins.[/QUOTE]
"for 2mins" isn't related to auditd at all so I won't comment on that. All processes means "anything that gets executed" and "file access" can mean all and any of read, write and execute and I'm sorry to say but your current rule set doesn't cover any of that. The rule sets in the /usr/share/doc/audit*/ directory should give you an idea of what you can start with building your rule set and 'man auditctl' spills all the details. Also note the audit service won't log anything before its rule set gets loaded plus trying to log everything will put quite a strain on the logging system so I do hope there's a darn good reason for doing this (if you're actually trying to solve another problem tell us).


Sorry but my ESP is particularly low today. Which "daemon process" exactly?