audit daemon in ubuntu

8613133 · 05-24-2012, 03:14 AM

hi,
i installed auditd and then started that.i am going to know if i do not add any rule in audit.rules, what will be happen?does auditd log every things in default without adding any rule?in fact ,auditd log what? when there is no rule in audit.rules,
thanks.

unSpawn · 05-24-2012, 03:35 AM

Quote:

Originally Posted by 8613133

does auditd log every things in default without adding any rule?

No.

Quote:

Originally Posted by 8613133

i am going to know if i do not add any rule in audit.rules, what will be happen?

You are going to know by reading the contents of /var/log/audit/audit.log or wherever you configured the audit service to log to.

8613133 · 05-30-2012, 01:56 PM

hi,
i am logging with auditd . i need to know the mode and flag of each syscall,but audit.log does not show them.is there any way to see those fields?

one other question,
how can i see %mem and %cpu each process(pid) that was logged in audit daemon?(in fact %mem and %cpu of pid which is in the log file)
thanks

unSpawn · 06-02-2012, 08:27 PM

Quote:

Originally Posted by 8613133

i need to know the mode and flag of each syscall

If I audit execve it lists the amount of args and each arg. What do you mean "mode and flag"?

Quote:

Originally Posted by 8613133

how can i see %mem and %cpu each process(pid) that was logged in audit daemon?(in fact %mem and %cpu of pid which is in the log file)

The audit service has no concept of SAR (system activity reporting) in that sense. You can correlate data if you collect it using a separate tool like Atop, Collectl, Atsar, Dstat or Sar.