Security Event Auditing with auditd

K

kobodjo

Hello all,

I am relatively new with FreeBSD and playing around with the system. I have a few questions regarding security event auditing with auditd. I have two users on the system, i.e. root and kobodjo, and I want to be able to log all their actions. Therefore, in the audit_user file, I have the following entries:
Code: 
root:all:
kobodjo:all:

Unfortunatelly, auditd is not logging much information. The only information that is logged is when user kobojdo su's to root, nothing more.

What is also a bit confusing me is section 18.3 of the user manual. It states that "User space support for Event Auditing is installed as part of the base FreeBSD operating system. Kernel support for Event Auditing is compiled in by default, but support for this feature must be explicitly compiled into the custom kernel by adding the following line to the kernel configuration file: options AUDIT"

So, do I or do I not have to compile a new kernel to make the auditing (as I want it as stated above) work?

My second question is, if it is possible to send this auditing information to a server apart from writing it to the local filesystem?

Much thanks in advance!

Greetings,
Kobodjo.
 
If you're running the GENERIC kernel, AUDIT is compiled in. If you want to run a non-GENERIC kernel, you have to put AUDIT in yourself. That's what it says.
 
I assume that if /var/audit is a shared filesystem, you could be able to write your data on a remote server. Moreover, if you only want the text version of the audit trail, you could use praudit or auditreduce to connect with /dev/auditpipe and redirect their output to a shared filesystem.
 
Hello all,

I got it working. The funny stuff is that if you use root:all:no in the audit_user file, nothing is being logged instead of all.

Is this a bug?
 
You must log in or register to reply here.
Back
Top