Text only | Text with Images

Artix Linux Forum

Artix Linux => System => Topic started by: tsedek1 on 01 April 2025, 11:57:23

Title: Auditd: How do I set it up and use it?
Post by: tsedek1 on 01 April 2025, 11:57:23
Maybe I'm misunderstanding how Audit should be setup and configured in Artix.

Code: [Select]
rc-service auditd start
rc-update add auditd
reboot
Code: [Select]
ausearch -i -k recon
<no matches>
ausearch -i -k shell
<no matches>
ausearch -i -k anon_file_creation
<no matches>
I'll cat the log file and see what's in it.

I've gone to the mirror site, in 'system' downloaded the 'audit-openrc' file. Now I'll have it for later.
In 'World', and downloaded the 'nftables' and 'nftables-openrc' files.
Do I need to save the .sig file also?

::I have taken this from a Feature Request Topic in Software Development. I think Auditd deserves it's own thread.::
Title: Re: Auditd: How do I set it up and use it?
Post by: tsedek1 on 01 April 2025, 11:59:24
Here is a sample of what is in the audit.log:

Code: [Select]
type=USER_LOGOUT msg=audit(1743492422.998:15): pid=2267 uid=0 auid=1000 ses=1 msg='op=logout id=1000 exe="/usr/bin/lightdm" hostname=talmudeem_sell_their_children_to_be_whores addr=? terminal=/dev/tty7 res=success'UID="root" AUID="WhatsMyName" ID="WhatsMyName"

Looks like it isn't reading the audit.rules file. There are no 'key=' entries.
I put the 'audit.rules' file in '/etc/audit/rules.d/audit.rules'
Title: Re: Auditd: How do I set it up and use it?
Post by: lotuskip on 01 April 2025, 12:21:01
I don't personally use auditd, but
Quote from: man auditd
DESCRIPTION
 auditd  is  the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit system or loading rules is done with the auditctl  utility.  During  startup,  the  rules  in /etc/audit/audit.rules  are  read  by auditctl and loaded into the kernel. Alternately, there is also an augenrules program that reads rules located in /etc/audit/rules.d/ and compiles them into an audit.rules file. The audit daemon itself has some configuration options that the admin may wish to  customize. They are found in the auditd.conf file.
Title: Re: Auditd: How do I set it up and use it?
Post by: tsedek1 on 01 April 2025, 12:31:57
Quote from: lotuskip – on
I don't personally use auditd, but
Quote from: man auditd
DESCRIPTION
 auditd  is  the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit system or loading rules is done with the auditctl  utility.  During  startup,  the  rules  in /etc/audit/audit.rules  are  read  by auditctl and loaded into the kernel. Alternately, there is also an augenrules program that reads rules located in /etc/audit/rules.d/ and compiles them into an audit.rules file. The audit daemon itself has some configuration options that the admin may wish to  customize. They are found in the auditd.conf file.

I have moved the 'audit.rules' to /etc/audit/. I'll reboot and see what the effect will be.
Title: Re: Auditd: How do I set it up and use it?
Post by: tsedek1 on 01 April 2025, 12:51:37
How I managed with other Arch Distro's is changing. Artix is straightening me out.
2 minutes to install
Auditd is working....

Code: [Select]
type=PROCTITLE msg=audit(01/04/25 13:35:30.507:1275) : proctitle=/usr/bin/pulseaudio --start --log-target=syslog 
type=SYSCALL msg=audit(01/04/25 13:35:30.507:1275) : arch=x86_64 syscall=memfd_create success=yes exit=41 a0=0x799a836d054a a1=0xb a2=0x0 a3=0x0 items=0 ppid=1 pid=2458 auid=WhatsMyName uid=WhatsMyName gid=WhatsMyName euid=WhatsMyName suid=WhatsMyName fsuid=WhatsMyName egid=WhatsMyName sgid=WhatsMyName fsgid=WhatsMyName tty=(none) ses=1 comm=pulseaudio exe=/usr/bin/pulseaudio key=anon_file_create

Like a glove. :nods head:
Now, getting rid of LightDM, the next 'ToDo'. tsedek1 hollers, "Slim...Where you at?"
Title: Re: Auditd: How do I set it up and use it?
Post by: tsedek1 on 02 April 2025, 12:37:31
Auditd with openrc:
What runlevel should it be set to?

Currently it's set to 'Default'.

rc-update -v show
Code: [Select]
auditd |      default
Should I set it to 'Boot'? And, Will that change what gets logged, adding stuff earlier in the uptime?
Text only | Text with Images