AUDIT FAQ


1  Q How can I see the audit logs 1 event per line?
   A Assuming you want the logs since 1 am:
    ausearch -ts 1:00:00 | grep -v 'time->' | tr '\n' ' ' | sed -e 's/----/\n/g'

2  Q Is there a way to dictate the format of naming convention of the rotated
     logfiles to better reflect the date range of the data contained in the
     file instead of simply audit.log.1, audit.log.2, etc?

   A No. But you can easily cobble something together to do it. The design
     philosophy behind the audit daemon was to keep it very simple. It has
     to be able to meet eal4+ assurance levels and the fancier it gets, the
     more documenting and testing it needs. The "aureport -t" command will
     report the time range of a file or all logs.

3  Q Can I force rotation of the audit logs ?
   A Yes. "service auditd rotate"

4  Q I need daily log rotation rather than by size. How do I set this up ?
   A In /etc/auditd.conf, set the max_log_file_action=ignore. Then use the
     script auditd.cron shipped in the rpm. After the rotate, the old file
     will be named audit.log.1. You can customize the cron script to add the
     machine's name, time range, compress the file with bzip2, and scp it to
     a safe location if you so desire.

5  Q Can the audit package be added to FC3 ?
   A Sort of...you can add the audit daemon to FC3, but there is a lot more
     configuring and patching that has to be done to make the audit system
     work right. For example, there are patches to pam to set the loginuid
     so that the user is correctly tracked no matter what they "su" to. You
     will also want to be using the 2.6.14 kernel at a minimum for syscall
     auditing.

6  Q Can I audit changes to a file ?
   A RHEL4 has the capability to do this using watches (auditctl -w). Upstream
     kernel developers felt there was some overlap with inotify and asked for
     the patch to be refactored. That work is ongoing, but not complete.

7  Q How do I interpret the following from strace:

     recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\322\7\0\0\377\377\377\377\20\0"...,
     8476, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
     [12]) = 36

   A You have to look at the audit_reply data structure
     (/usr/include/linux/audit.h), which pulls in nlmsghdr
     (/usr/include/linux/netlink.h) The above line of strace
     is dissected as follows:

        recvfrom(3, "$\0\0\0 - 1st 4 bytes is length
        \2\0 - next 2 is message type. In this case, NLMSG_ERROR
        \0\0 - flags
        \1\0\0\0 - Seq num
        \322\7\0\0 - pid in Octal
        \377\377\377\377 - return code for NLMSG_ERROR packets in Octal (-1).

8 Q I log in via gdm but the loginuid is still 4294967295. pam_loginuid.so
    is in gdm's pam stack. What's wrong?

  A Depending on your boot settings, gdm may start before the audit system.
    The audit daemon enables the audit facility in the kernel. Any process
    that runs before the auditing capability is turned on in the kernel will
    get loginuid 4294967295. To fix this, add audit=1 to your grub boot
    parameters. This enables the audit system at boot and all processes have
    the correct loginuid.