How to install auditd on CentOS?
Directory is called /var/log/audit/
not /var/log/auditd/
If missing, then someone deleted that directory, run sudo yum reinstall audit
to recreate it.
audit
is installed by default and running, anyway, run sudo service auditd start
Note:
I want to Log all commands run by admins Log all commands run by admins on production servers
auditd won't help always you with that, it can't log everything, especially when logs are stored on the same machine.
Luka Tce
Updated on September 18, 2022Comments
-
Luka Tce almost 2 years
How to install auditd on CentOS 6.4 x64 ? I want to Log all commands run by admins Log all commands run by admins on production servers Edit: I can't run aduditd service
I did with this tut enter link description here
sudo yum install audit sudo chkconfig auditd on
Added these 2 lines to /etc/audit/audit.rules
-a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve
I ran some commands and there is no auditd directory for log in /var/log/
Now auditd don't work i can't get running service. In messages log i get this
Sep 7 18:05:40 vesoljedomen auditd[6777]: Started dispatcher: /sbin/audispd pid: 6779 Sep 7 18:05:40 vesoljedomen audispd: No plugins found, exiting Sep 7 18:05:40 vesoljedomen auditd[6777]: Unable to set audit pid, exiting Sep 7 18:05:40 vesoljedomen auditd: Cannot daemonize (Success) Sep 7 18:05:40 vesoljedomen auditd: The audit daemon is exiting. Sep 7 18:05:40 vesoljedomen auditd[6777]: The audit daemon is exiting. Sep 7 18:05:47 vesoljedomen auditd[6791]: Started dispatcher: /sbin/audispd pid: 6793 Sep 7 18:05:47 vesoljedomen audispd: No plugins found, exiting Sep 7 18:05:47 vesoljedomen auditd[6791]: Unable to set audit pid, exiting Sep 7 18:05:47 vesoljedomen auditd: Cannot daemonize (Success) Sep 7 18:05:47 vesoljedomen auditd: The audit daemon is exiting. Sep 7 18:05:47 vesoljedomen auditd[6791]: The audit daemon is exiting. Sep 7 18:06:01 vesoljedomen auditd[6924]: Started dispatcher: /sbin/audispd pid: 6926 Sep 7 18:06:01 vesoljedomen audispd: No plugins found, exiting Sep 7 18:06:01 vesoljedomen auditd[6924]: Unable to set audit pid, exiting Sep 7 18:06:01 vesoljedomen auditd: Cannot daemonize (Success) Sep 7 18:06:01 vesoljedomen auditd: The audit daemon is exiting. Sep 7 18:06:01 vesoljedomen auditd[6924]: The audit daemon is exiting. -bash-4.1# -bash-4.1# chkconfig --list | grep auditd -bash: -bash-4.1#: command not found -bash-4.1# auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off Usage: auditd [-f] [-l] [-n] [-s disable|enable|nochange] -bash-4.1# -bash-4.1# service auditd status -bash: -bash-4.1#: command not found -bash-4.1# service auditd start -bash-4.1# auditd is stopped
-
Aaron Copley almost 11 yearsYour error is regarding missing plugins. Try
yum install audispd-plugins
? Also, FYI, you canchkconfig --list auditd
without the additionalgrep
. -
Aaron Copley almost 11 yearsAlso, clean-up that command output you pasted in there. All those command not found errors are from a bad copy/paste and not helpful to the question.
-
Luka Tce almost 11 yearsI did [code]yum install audispd-plugins[/code] And in auditd.log i get this <code>type=DAEMON_START msg=audit(1378829674.173:6406): auditd start, ver=2.2 format=raw kernel=2.6.32-042stab078.26 auid=0 pid=1137 res=success type=DAEMON_ABORT msg=audit(1378829674.176:6407): auditd error halt, auid=0 pid=1137 res=failed type=DAEMON_START msg=audit(1378830201.113:1428): auditd start, ver=2.2 format=raw kernel=2.6.32-042stab078.26 auid=4294967295 pid=697 res=success
-
Luka Tce almost 11 yearsAny idea ? there is no aduditd at pid
-
-
Luka Tce almost 11 yearsIt created directory now it seems it need some time. Sry it was typo Is there any way to log all commands run by admins that log commands,time,ip,userid,also what executed after commands ? Similar as .bash_history but it also log ip,time,userid
-
GioMac almost 11 yearsUser may run
mc
, use scripting or other methods. You can patch bash to log everything etc. Still, it doesn't make sense if everything is logged on same host. -
Luka Tce almost 11 yearsHow to patch it ? Can't this just be done to copy /root/.bash_history and of every root user to one location ? and sort somehow by name and ip of server ?
-
GioMac almost 11 yearsHardening and auditing is a long and complex story. again, .bash_history won't show you everything.
-
Luka Tce almost 11 yearsI can't get auditd run as service.
-
GioMac almost 11 years@LukaTce
rpm -Va "audit*"