How to install auditd on CentOS?

centos monitoring logging log-files auditd

11,942

Directory is called /var/log/audit/ not /var/log/auditd/

If missing, then someone deleted that directory, run sudo yum reinstall audit to recreate it.

audit is installed by default and running, anyway, run sudo service auditd start

Note:

I want to Log all commands run by admins Log all commands run by admins on production servers

auditd won't help always you with that, it can't log everything, especially when logs are stored on the same machine.

11,942

Author by

Luka Tce

Updated on September 18, 2022

Comments

Luka Tce almost 2 years

How to install auditd on CentOS 6.4 x64 ? I want to Log all commands run by admins Log all commands run by admins on production servers Edit: I can't run aduditd service

I did with this tut enter link description here

sudo yum install audit
sudo chkconfig auditd on

Added these 2 lines to /etc/audit/audit.rules

-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve

I ran some commands and there is no auditd directory for log in /var/log/

Now auditd don't work i can't get running service. In messages log i get this

Sep  7 18:05:40 vesoljedomen auditd[6777]: Started dispatcher: /sbin/audispd pid: 6779
Sep  7 18:05:40 vesoljedomen audispd: No plugins found, exiting
Sep  7 18:05:40 vesoljedomen auditd[6777]: Unable to set audit pid, exiting
Sep  7 18:05:40 vesoljedomen auditd: Cannot daemonize (Success)
Sep  7 18:05:40 vesoljedomen auditd: The audit daemon is exiting.
Sep  7 18:05:40 vesoljedomen auditd[6777]: The audit daemon is exiting.
Sep  7 18:05:47 vesoljedomen auditd[6791]: Started dispatcher: /sbin/audispd pid: 6793
Sep  7 18:05:47 vesoljedomen audispd: No plugins found, exiting
Sep  7 18:05:47 vesoljedomen auditd[6791]: Unable to set audit pid, exiting
Sep  7 18:05:47 vesoljedomen auditd: Cannot daemonize (Success)
Sep  7 18:05:47 vesoljedomen auditd: The audit daemon is exiting.
Sep  7 18:05:47 vesoljedomen auditd[6791]: The audit daemon is exiting.
Sep  7 18:06:01 vesoljedomen auditd[6924]: Started dispatcher: /sbin/audispd pid: 6926
Sep  7 18:06:01 vesoljedomen audispd: No plugins found, exiting
Sep  7 18:06:01 vesoljedomen auditd[6924]: Unable to set audit pid, exiting
Sep  7 18:06:01 vesoljedomen auditd: Cannot daemonize (Success)
Sep  7 18:06:01 vesoljedomen auditd: The audit daemon is exiting.
Sep  7 18:06:01 vesoljedomen auditd[6924]: The audit daemon is exiting.


-bash-4.1# -bash-4.1# chkconfig --list | grep auditd
-bash: -bash-4.1#: command not found
-bash-4.1# auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
Usage: auditd [-f] [-l] [-n] [-s disable|enable|nochange]
-bash-4.1# -bash-4.1# service auditd status
-bash: -bash-4.1#: command not found
-bash-4.1# service auditd start
-bash-4.1# auditd is stopped

Aaron Copley almost 11 years

Your error is regarding missing plugins. Try yum install audispd-plugins? Also, FYI, you can chkconfig --list auditd without the additional grep.
Aaron Copley almost 11 years

Also, clean-up that command output you pasted in there. All those command not found errors are from a bad copy/paste and not helpful to the question.
Luka Tce almost 11 years

I did [code]yum install audispd-plugins[/code] And in auditd.log i get this <code>type=DAEMON_START msg=audit(1378829674.173:6406): auditd start, ver=2.2 format=raw kernel=2.6.32-042stab078.26 auid=0 pid=1137 res=success type=DAEMON_ABORT msg=audit(1378829674.176:6407): auditd error halt, auid=0 pid=1137 res=failed type=DAEMON_START msg=audit(1378830201.113:1428): auditd start, ver=2.2 format=raw kernel=2.6.32-042stab078.26 auid=4294967295 pid=697 res=success
Luka Tce almost 11 years

Any idea ? there is no aduditd at pid

Luka Tce almost 11 years

It created directory now it seems it need some time. Sry it was typo Is there any way to log all commands run by admins that log commands,time,ip,userid,also what executed after commands ? Similar as .bash_history but it also log ip,time,userid
GioMac almost 11 years

User may run mc, use scripting or other methods. You can patch bash to log everything etc. Still, it doesn't make sense if everything is logged on same host.
Luka Tce almost 11 years

How to patch it ? Can't this just be done to copy /root/.bash_history and of every root user to one location ? and sort somehow by name and ip of server ?
GioMac almost 11 years

Hardening and auditing is a long and complex story. again, .bash_history won't show you everything.
Luka Tce almost 11 years

I can't get auditd run as service.
GioMac almost 11 years

@LukaTce rpm -Va "audit*"