LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-23-2015, 11:40 AM   #1
fearturtle03
LQ Newbie
 
Registered: Nov 2015
Posts: 3

Rep: Reputation: Disabled
Audit not logging SuSE 10.1


I am trying to get Audit to log on my SuSE 10.1. We have the same box running SuSE 11 and it works fine, but cannot seem to get it working on 10.

I tried to upload the nispom.rules and stig.rules to /etc, perform a reboot then issue auditctl -l and it returns "no rules...File System watches not supported".

Auditctl -e returns "enabled=1 flag=1 pid=3598 rate_limit=0 backlog_limit=64 lost=0 backlog=0" so it appears auditd is enabled just not logging.

I also checked /etc/sysconfig/auditd and found the value AUDITD_DISABLE_CONTEXTS = YES. I changed this to NO and did a reboot again but still the audit.log was not filling up with any event.

It appears after each reboot the audit.log file grows with the same set of information but then never actually continues to audit/grow.

One thing I did notice was the nispom.rules and stig.rules files I found said it should be placed in /etc/audit/audit.rules but this is SuSE 10 and the default file is in /etc/audit.rules. Are these rule sets the same between 10 and 11? They appear to be.

Any suggestions appreciated.

Thanks
 
Old 11-29-2015, 05:33 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by fearturtle03 View Post
I am trying to get Audit to log on my SuSE 10.1. We have the same box running SuSE 11 and it works fine, but cannot seem to get it working on 10.
If I'm not mistaken SuSE 10.1 was released in 2006. First thing to do is check if all kernel and system updates were set (no idea what its EOL is), the kernel was configured with auditing enabled and all related configs are stock to start with.


//NTLB
 
Old 11-29-2015, 11:16 AM   #3
fearturtle03
LQ Newbie
 
Registered: Nov 2015
Posts: 3

Original Poster
Rep: Reputation: Disabled
So if the kernel and system updates are not current it could be casuing Audit to not be logging?
 
Old 11-29-2015, 05:18 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
It appears you have more pressing problems than getting audit to work...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Need An Audit Rule to Stop Logging Of A Specific Item - logs filling up rgsurfs Linux - Security 3 05-15-2014 04:27 AM
audit Logging and scripting arn2025 Linux - Newbie 2 01-13-2014 07:23 AM
Samba audit logging not working as expected catkin Linux - Software 2 05-07-2012 10:49 PM
syslog-ng on FC5 only logging audit weisso5 Linux - Software 1 01-07-2008 01:50 PM
Audit Logging Phaethar Linux - Software 0 11-07-2007 03:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration