how to enable audit framework (having 3.18.2 kernel)?

sandric · 2015-02-24 15:18:14

Hi, I very want to use auditctl to logging out my filesystem events like inotify does, but with pid of modifier, but I can not somehow. I followed audit framework arch wiki article, installed it and enabled, also adding audit boot param to kernel, here's my /etc/default/grub line with it:

GRUB_CMDLINE_LINUX_DEFAULT="quiet audit=1"

, and here's my

sudo cat /proc/cmdline

output:

BOOT_IMAGE=/boot/vmlinuz-linux root=UUID=59c7ed3d-5c1a-464e-8da0-6bcf76bc19d2 rw quiet audit=1

But with this done, when I run

sudo auditctl -w /home

, or even

sudo auditctl -s

I getting

Error - audit support not in kernel
Cannot open netlink audit socket

Does anybody knows how to fix this?
thx.

karol · 2015-02-24 16:28:35

I think you need CONFIG_AUDIT=y in the kernel config.
https://projects.archlinux.org/svntogit … /linux#n76

Last edited by karol (2015-02-24 16:29:04)

sandric · 2015-02-24 19:45:07

Sorry, I do not really familiar with kernel compilation, can I pass this CONFIG_AUDIT=y via boot params in grub config, or I should really recompile kernel? Via ABS? (this is a newbie section, right? ;-))

tomk · 2015-02-24 19:53:07

Yes, via ABS: https://wiki.archlinux.org/index.php/Ke … ild_System

sandric · 2015-02-25 18:46:38

Ok, I recompiled kernel, just as you suggested, and it works now. But soooo slow(..

Arch Linux

#1 2015-02-24 15:18:14

how to enable audit framework (having 3.18.2 kernel)?

#2 2015-02-24 16:28:35

Re: how to enable audit framework (having 3.18.2 kernel)?

#3 2015-02-24 19:45:07

Re: how to enable audit framework (having 3.18.2 kernel)?

#4 2015-02-24 19:53:07

Re: how to enable audit framework (having 3.18.2 kernel)?

#5 2015-02-25 18:46:38

Re: how to enable audit framework (having 3.18.2 kernel)?

Board footer