cancel
Showing results for 
Search instead for 
Did you mean: 

no audit entries

dom kris
Frequent Advisor

no audit entries

Hi,

on one of our Tru64 systems I have activated auditing. (only auditing, no Enh. Sec).
Today I saw that the "/etc/svc.conf" file was changed. I checked the audit log file using audit conf to see what or who did it but I could not find any entry.
Auditmask on the "etc/svc.conf" file:
"
auditmask -q /etc/svc.conf
selection: on deselection: off -- /etc/svc.conf
"
so, any modification should show up in the audit trail (or am I wrong)?

I think that the modification done in that file was with 'vi' and a line was put in comment.

Any help much appreciated

Kd
4 REPLIES
Ann Majeske
Honored Contributor

Re: no audit entries

The audit log is only dumped periodically. If this was something that happened very recently, try forcing the auditd to dump its current buffers to the audit log and look again.
# auditd -d

If it was something that happened a long time ago, maybe you're not checking far enough back. Or if it was very long ago, maybe the audit log containing the information has already been deleted from your system. Check to see if you're purging the audit logs periodically. This would show up in the root crontab.

Ann
Victor Semaska
Frequent Advisor

Re: no audit entries

Consider adding the -d option to the auditd entry in /etc/rc.config so the daemon will flush its biffers on a regular basis. For example, '-d 15m' will flush the buffers every 15 minutes. In /etc/rc.config look for AUDITD_FLAG.

Vic
dom kris
Frequent Advisor

Re: no audit entries

I always query the audit log using audit -qd`.
We have a system like Tripwire so when a change is made to a system file I get notified within 5 minutes.
I got a notification that the "/etc/svc.conf" file was changed so I looked into the audit log and to my supprise I could find any entry that mentioned that change. I looked with i-node, string search, etc ... but there was no entry.

Very strange, I hope there is no way to bypass auditing that I overlooked.
Ann Majeske
Honored Contributor

Re: no audit entries

You also have to have the event that you want audited in your auditmask. For example, if you want to audit opens only on selected files you have to have all of the following set up:
1) You have to have the object selection audit style flag set. You can check this by using the auditmask command with no parameters. At the bottom of the output it shows the audit style flags that you have set. obj_sel should be one of these flags.
2) You have to include the open syscall in your audit mask. Use the auditmask command with no parameters and check to see that the open command is listed with the appropriate combination of succeed/fail.
3) You have to have audit selection enabled on the files. As you pointed out, you check this with the auditmask -q command.

Once you have all of this set up, you should be able to see any opens of that file in the audit log, but not opens of other files.

Ann