Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 7 Oct 2016 15:08:15 +0200
From:      Mateusz Piotrowski <0mp@FreeBSD.org>
To:        freebsd-hackers@freebsd.org
Cc:        mokhi <mokhi64@gmail.com>
Subject:   Re: Using Audit Framework and praudit
Message-ID:  <543F6C07-9472-4B3C-8697-CD5AE1F17725@FreeBSD.org>
In-Reply-To: <CAByVWPWWOUrBAnYA5n1kovQZAaaGjP5RQbakH-_QOLqTC7-xdQ@mail.gmail.com>
References:  <CAByVWPVhrb78=tgHBKf578MO2n3xWQnGeksV9NQtAi%2BLeKmiCA@mail.gmail.com> <EBAB6795-368E-4975-8606-836DC7A067E2@FreeBSD.org> <CAByVWPWWOUrBAnYA5n1kovQZAaaGjP5RQbakH-_QOLqTC7-xdQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

On 7 Oct 2016, at 11:26, mokhi <mokhi64@gmail.com> wrote:

> I saw audit_control(5) and the handbook entry for audit.
> 
> My `/etc/security/audit_control` and `/etc/security/audit_user` is
> pasted on [1] and [2]
> I guess my changes (flags:all) should make it auditing all events on
> success and fails.
> Would you please explain me my misunderstanding if there's any?
> 
> [1] https://0x.co/7PE6HC
> [2] https://0x.co/AZ7ZTH

Sorry, I misunderstood your question - I thought you were asking about 
/dev/auditpipe. 

To be clear:

- praudit is just a tool to print the audit trail files in a human 
  readable format. It has nothing to do with the events you log.
- /dev/auditpipe allows you monitor what is being logged in real-time.
  You may use it like this: `praudit /dev/auditpipe`.
- auditd is an audit log management daemon. If you change configuration
  files in /etc/security then you should restart the daemon. If you 
  modify /etc/security/audit_user specifically, you have to log in and
  log out (see audit_user(5)).

This is how to change /etc/security/audit_control to audit everything 
you can:

    dir:/var/audit
    dist:off
    flags:all
    minfree:5
    naflags:all
    policy:cnt,argv,arge,seq,
    filesz:2M
    expire-after:10M

Then if I start auditd and begin monitoring what's being audited with 
praudit /dev/auditpipe, I get a constant stream of audit events which
really slows my system.

Does it help you?

Cheers,

-m

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?543F6C07-9472-4B3C-8697-CD5AE1F17725>