Where're audit logs in FreeBSD?

ilya-shmel

ilya-shmel

Hello!

I've set up the auditd service in FreeBSD 13.2-RELEASE amd64.

in rc.conf
Bash: 
auditd_enable="YES"

in /etc/security/audit_control
Bash: 
  4 dir:/var/audit
  5 dist:off
  6 flags:lo,aa,ad,ap,ex,fa,fm,pc
  7 minfree:5
  8 naflags:lo,aa
  9 policy:cnt,argv
 10 filesz:100M
 11 expire-after:10000M

in /etc/security/audit_user
Bash: 
root:lo:no
devd:all:no

After the restarting the auditd(8) service I've fetched files in the /var/audit directory and... I couldn't see the events.

/var/audit
Bash: 
-r--r-----  1 root        audit  113 Nov  9 10:22 20231109063543.20231109072221
-r--r-----  1 root        audit   56 Nov  9 10:22 20231109072221.20231109081717
-r--r-----  1 root        audit  153 Nov  9 11:23 20231109081717.not_terminated
lrwxr-xr-x  1 root        audit   40 Nov  9 11:17 current@ -> /var/audit/20231109081717.not_terminated
drwxrwx---  2 auditdistd  audit    2 Apr  7  2023 dist/
drwx------  2 auditdistd  wheel    2 Apr  7  2023 remote/


20231109081717.not_terminated
Bash: 
 8
    ??? eL??  ( auditd::Audit startup '     ?   8   a
                                                       eL??? 2$????      ?? ?? ?? ?  ?        ( �successful authentication '     ?   a

As far as I understood, where're two events (the auditd startup and root authentication) but without timestamp, tags, hostname, etc. And too many '?' in log.

Should I setup other auditd(8) config files? Maybe I have to change the encoding somewhere? Or I should make the syslog's reconfiguration?

Could you recommend the fundamental FreeBSD book (like Linux Essentials or Linux Bible)?

My reference is Chapter 19. Security Event Auditing
 
ilya-shmel said:
[…] As far as I understood, where're two events (the auditd startup and root authentication) but without timestamp, tags, hostname, etc. And too many '?' in log. […] Maybe I have to change the encoding somewhere? […] My reference is Chapter 19. Security Event Auditing
Click to expand...
Apparently you have not made it to § 19.4 Working with Audit Trails. It says you need to use praudit(1) to get a human-readable format.​
ilya-shmel said:
[…] Could you recommend the fundamental FreeBSD book (like Linux Essentials or Linux Bible)? […]
Click to expand...
This has been asked before. Thread 90536 more recently for example.​
 
Kai Burghardt said:
Apparently you have not made it to § 19.4 Working with Audit Trails. It says you need to use praudit(1) to get a human-readable format.
Click to expand...
Thank you very much indeed! Looks quite better, especially with the -lx option. As far as I know, there's no option to auto convert audit files via praudit to the final log. So I ought to write a simple script to keep them in one file.
 
You must log in or register to reply here.
Back
Top