Date: Thu, 6 Oct 2016 21:14:41 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: freebsd-hackers@freebsd.org Cc: mokhi <mokhi64@gmail.com> Subject: Re: Using Audit Framework and praudit Message-ID: <EBAB6795-368E-4975-8606-836DC7A067E2@FreeBSD.org> In-Reply-To: <CAByVWPVhrb78=tgHBKf578MO2n3xWQnGeksV9NQtAi%2BLeKmiCA@mail.gmail.com> References: <CAByVWPVhrb78=tgHBKf578MO2n3xWQnGeksV9NQtAi%2BLeKmiCA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On 6 Oct 2016, at 18:59, mokhi <mokhi64@gmail.com> wrote: > For using "The audit framework", should I rebuild my kernel to use > "praudit" to log exec or syscall events ? > I used the way that handbook says to use praudit, but it only shows me > logs on authentications with "su" and stop/starting "auditd" service, > and there's no any other logs. I guess that there's no need to recompile anything since your praudit seems to be working as expected. > Any ideas what other things should i do ? Are you sure you've modified /etc/security/audit_control? It's the file where you can configure what events the system should log. See audit_control(5) and the handbook[1] for more details. Cheers, -m [1]: https://www.freebsd.org/doc/handbook/audit-config.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EBAB6795-368E-4975-8606-836DC7A067E2>