Hello all,
I am relatively new with FreeBSD and playing around with the system. I have a few questions regarding security event auditing with auditd. I have two users on the system, i.e. root and kobodjo, and I want to be able to log all their actions. Therefore, in the audit_user file, I have the following entries:
Unfortunatelly, auditd is not logging much information. The only information that is logged is when user kobojdo su's to root, nothing more.
What is also a bit confusing me is section 18.3 of the user manual. It states that "User space support for Event Auditing is installed as part of the base FreeBSD operating system. Kernel support for Event Auditing is compiled in by default, but support for this feature must be explicitly compiled into the custom kernel by adding the following line to the kernel configuration file: options AUDIT"
So, do I or do I not have to compile a new kernel to make the auditing (as I want it as stated above) work?
My second question is, if it is possible to send this auditing information to a server apart from writing it to the local filesystem?
Much thanks in advance!
Greetings,
Kobodjo.
I am relatively new with FreeBSD and playing around with the system. I have a few questions regarding security event auditing with auditd. I have two users on the system, i.e. root and kobodjo, and I want to be able to log all their actions. Therefore, in the audit_user file, I have the following entries:
Code:
root:all:
kobodjo:all:
Unfortunatelly, auditd is not logging much information. The only information that is logged is when user kobojdo su's to root, nothing more.
What is also a bit confusing me is section 18.3 of the user manual. It states that "User space support for Event Auditing is installed as part of the base FreeBSD operating system. Kernel support for Event Auditing is compiled in by default, but support for this feature must be explicitly compiled into the custom kernel by adding the following line to the kernel configuration file: options AUDIT"
So, do I or do I not have to compile a new kernel to make the auditing (as I want it as stated above) work?
My second question is, if it is possible to send this auditing information to a server apart from writing it to the local filesystem?
Much thanks in advance!
Greetings,
Kobodjo.