You are not logged in.
- Topics: Active | Unanswered
#1 2024-07-29 00:24:22
- ThoughtBubble
- Member
- Registered: 2024-07-09
- Posts: 50
[Solved] Questions regarding the audit framework
Where are the logs stored?
Does this tool automatically remove old log files? If not, how do I automatically remove old logs? I would like to remove it based on how many times I've booted and based on when the log file was created.
Does this tool set a size limit for the log files it generates? If not, how do I go about doing this?
Last edited by ThoughtBubble (2024-09-03 20:22:21)
Offline
#2 2024-07-29 22:32:43
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 23,603
Re: [Solved] Questions regarding the audit framework
It's a systemd service, so it gets logged by journald which in turn provides all the facilities for handling exact sizes/days/rotation: https://wiki.archlinux.org/title/Systemd/Journal -- read the entirety of that, with specific focus towards the size limit and per unit file size limit sections.
Some alternate paths when not using journald would get configured in /etc/audit/auditd.conf
Last edited by V1del (2024-07-29 22:37:05)
Offline
#3 2024-08-03 17:50:20
- ThoughtBubble
- Member
- Registered: 2024-07-09
- Posts: 50
Re: [Solved] Questions regarding the audit framework
Running this command
auditctl -w /etc/passwd -p rwxagives me the following message:
Old style watch rules are slowerIs there a better way to add this rule?
Offline
#4 2024-08-11 00:46:51
- gcb
- Member
- Registered: 2014-02-12
- Posts: 173
Re: [Solved] Questions regarding the audit framework
Yes, the better way is to hook to a syscall. I don't know what it does in the background, but unless the devs are trying to cover for some really stupid backward compatibility there's no reason the "better" would be faster than this as they should hook to the same things... but it's redhat, so they probably DID something silly because some client asked.
anyway, attach to the syscall
auditctl -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -k my_passwd_alert(also you don't want /etc/passwd. and you don't want read alerts.)
And i think you also need the delete in case a script does a rm/mv... (audit syntax is so useless without a middleware)
auditctl -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F path=/etc/shadow -k my_passwd_alertLast edited by gcb (2024-08-11 00:56:09)
Offline