Auditd: How do I set it up and use it?

Topic: Auditd: How do I set it up and use it? (Read 208 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Auditd: How do I set it up and use it?

01 April 2025, 11:57:23

Maybe I'm misunderstanding how Audit should be setup and configured in Artix.

rc-service auditd start
rc-update add auditd
reboot

Code: [Select]

ausearch -i -k recon
<no matches>
ausearch -i -k shell
<no matches>
ausearch -i -k anon_file_creation
<no matches>

I'll cat the log file and see what's in it.

I've gone to the mirror site, in 'system' downloaded the 'audit-openrc' file. Now I'll have it for later.
In 'World', and downloaded the 'nftables' and 'nftables-openrc' files.
Do I need to save the .sig file also?

::I have taken this from a Feature Request Topic in Software Development. I think Auditd deserves it's own thread.::

Re: Auditd: How do I set it up and use it?

Reply #1 – 01 April 2025, 11:59:24

Here is a sample of what is in the audit.log:

Code: [Select]

type=USER_LOGOUT msg=audit(1743492422.998:15): pid=2267 uid=0 auid=1000 ses=1 msg='op=logout id=1000 exe="/usr/bin/lightdm" hostname=talmudeem_sell_their_children_to_be_whores addr=? terminal=/dev/tty7 res=success'UID="root" AUID="WhatsMyName" ID="WhatsMyName"

Looks like it isn't reading the audit.rules file. There are no 'key=' entries.
I put the 'audit.rules' file in '/etc/audit/rules.d/audit.rules'

Re: Auditd: How do I set it up and use it?

Reply #2 – 01 April 2025, 12:21:01

I don't personally use auditd, but

Quote from: man auditd

DESCRIPTION
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit system or loading rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl and loaded into the kernel. Alternately, there is also an augenrules program that reads rules located in /etc/audit/rules.d/ and compiles them into an audit.rules file. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

Re: Auditd: How do I set it up and use it?

Reply #3 – 01 April 2025, 12:31:57

Quote from: lotuskip – on 01 April 2025, 12:21:01

I don't personally use auditd, but
Quote from: man auditd
DESCRIPTION
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit system or loading rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl and loaded into the kernel. Alternately, there is also an augenrules program that reads rules located in /etc/audit/rules.d/ and compiles them into an audit.rules file. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

I have moved the 'audit.rules' to /etc/audit/. I'll reboot and see what the effect will be.

Re: Auditd: How do I set it up and use it?

Reply #4 – 01 April 2025, 12:51:37

How I managed with other Arch Distro's is changing. Artix is straightening me out.
2 minutes to install
Auditd is working....

Code: [Select]

type=PROCTITLE msg=audit(01/04/25 13:35:30.507:1275) : proctitle=/usr/bin/pulseaudio --start --log-target=syslog 
type=SYSCALL msg=audit(01/04/25 13:35:30.507:1275) : arch=x86_64 syscall=memfd_create success=yes exit=41 a0=0x799a836d054a a1=0xb a2=0x0 a3=0x0 items=0 ppid=1 pid=2458 auid=WhatsMyName uid=WhatsMyName gid=WhatsMyName euid=WhatsMyName suid=WhatsMyName fsuid=WhatsMyName egid=WhatsMyName sgid=WhatsMyName fsgid=WhatsMyName tty=(none) ses=1 comm=pulseaudio exe=/usr/bin/pulseaudio key=anon_file_create

Like a glove. :nods head:
Now, getting rid of LightDM, the next 'ToDo'. tsedek1 hollers, "Slim...Where you at?"

Re: Auditd: How do I set it up and use it?

Reply #5 – Yesterday at 12:37:31

Auditd with openrc:
What runlevel should it be set to?

Currently it's set to 'Default'.

rc-update -v show

Code: [Select]

auditd |      default

Should I set it to 'Boot'? And, Will that change what gets logged, adding stuff earlier in the uptime?