Lukas Vrabec: How to enable full auditing in audit daemon?

Full auditing in audit deamon could be useful e.g. to identify which object on system has too tight rules and object is causing dac_override SELinux denial. More info in my previous post.

 Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart

 4. Re-run your scenario.

Full auditing is useful when full paths to accessed objects are needed or certain audit event fields, which are normally hidden, should be visible.

The procedure works on Red Hat Enterprise Linux  >= 5 and Fedoras.

If /etc/audit/rules.d/audit.rules file does not exist, please edit /etc/audit/audit.rules directly. Older versions of audit did not generate /etc/audit/audit.rules from /etc/audit/rules.d/audit.rules.

 

Thanks Milos Malik for this article.

The post How to enable full auditing in audit daemon? appeared first on Lukas Vrabec.


Source From: fedoraplanet.org.
Original article title: Lukas Vrabec: How to enable full auditing in audit daemon?.
This full article can be read at: Lukas Vrabec: How to enable full auditing in audit daemon?.

Advertisement
Website Design and Development


Random Article You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*