3

How to install auditd on CentOS 6.4 x64 ? I want to Log all commands run by admins Log all commands run by admins on production servers Edit: I can't run aduditd service

I did with this tut enter link description here

sudo yum install audit
sudo chkconfig auditd on

Added these 2 lines to /etc/audit/audit.rules

-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve

I ran some commands and there is no auditd directory for log in /var/log/

Now auditd don't work i can't get running service. In messages log i get this

Sep  7 18:05:40 vesoljedomen auditd[6777]: Started dispatcher: /sbin/audispd pid: 6779
Sep  7 18:05:40 vesoljedomen audispd: No plugins found, exiting
Sep  7 18:05:40 vesoljedomen auditd[6777]: Unable to set audit pid, exiting
Sep  7 18:05:40 vesoljedomen auditd: Cannot daemonize (Success)
Sep  7 18:05:40 vesoljedomen auditd: The audit daemon is exiting.
Sep  7 18:05:40 vesoljedomen auditd[6777]: The audit daemon is exiting.
Sep  7 18:05:47 vesoljedomen auditd[6791]: Started dispatcher: /sbin/audispd pid: 6793
Sep  7 18:05:47 vesoljedomen audispd: No plugins found, exiting
Sep  7 18:05:47 vesoljedomen auditd[6791]: Unable to set audit pid, exiting
Sep  7 18:05:47 vesoljedomen auditd: Cannot daemonize (Success)
Sep  7 18:05:47 vesoljedomen auditd: The audit daemon is exiting.
Sep  7 18:05:47 vesoljedomen auditd[6791]: The audit daemon is exiting.
Sep  7 18:06:01 vesoljedomen auditd[6924]: Started dispatcher: /sbin/audispd pid: 6926
Sep  7 18:06:01 vesoljedomen audispd: No plugins found, exiting
Sep  7 18:06:01 vesoljedomen auditd[6924]: Unable to set audit pid, exiting
Sep  7 18:06:01 vesoljedomen auditd: Cannot daemonize (Success)
Sep  7 18:06:01 vesoljedomen auditd: The audit daemon is exiting.
Sep  7 18:06:01 vesoljedomen auditd[6924]: The audit daemon is exiting.


-bash-4.1# -bash-4.1# chkconfig --list | grep auditd
-bash: -bash-4.1#: command not found
-bash-4.1# auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
Usage: auditd [-f] [-l] [-n] [-s disable|enable|nochange]
-bash-4.1# -bash-4.1# service auditd status
-bash: -bash-4.1#: command not found
-bash-4.1# service auditd start
-bash-4.1# auditd is stopped
Community
  • 1
Luka Tce
  • 37
  • 1
  • 2
  • 7
  • Your error is regarding missing plugins. Try `yum install audispd-plugins`? Also, FYI, you can `chkconfig --list auditd` without the additional `grep`. – Aaron Copley Sep 10 '13 at 16:46
  • 1
    Also, clean-up that command output you pasted in there. All those command not found errors are from a bad copy/paste and not helpful to the question. – Aaron Copley Sep 10 '13 at 16:53
  • I did [code]yum install audispd-plugins[/code] And in auditd.log i get this type=DAEMON_START msg=audit(1378829674.173:6406): auditd start, ver=2.2 format=raw kernel=2.6.32-042stab078.26 auid=0 pid=1137 res=success type=DAEMON_ABORT msg=audit(1378829674.176:6407): auditd error halt, auid=0 pid=1137 res=failed type=DAEMON_START msg=audit(1378830201.113:1428): auditd start, ver=2.2 format=raw kernel=2.6.32-042stab078.26 auid=4294967295 pid=697 res=success – Luka Tce Sep 10 '13 at 17:10
  • Any idea ? there is no aduditd at pid – Luka Tce Sep 21 '13 at 16:34

1 Answers1

2

Directory is called /var/log/audit/ not /var/log/auditd/

If missing, then someone deleted that directory, run sudo yum reinstall audit to recreate it.

audit is installed by default and running, anyway, run sudo service auditd start

Note:

I want to Log all commands run by admins Log all commands run by admins on production servers

auditd won't help always you with that, it can't log everything, especially when logs are stored on the same machine.

GioMac
  • 4,444
  • 3
  • 24
  • 41
  • It created directory now it seems it need some time. Sry it was typo Is there any way to log all commands run by admins that log commands,time,ip,userid,also what executed after commands ? Similar as .bash_history but it also log ip,time,userid – Luka Tce Sep 07 '13 at 22:47
  • User may run `mc`, use scripting or other methods. You can patch bash to log everything etc. Still, it doesn't make sense if everything is logged on same host. – GioMac Sep 07 '13 at 22:54
  • How to patch it ? Can't this just be done to copy /root/.bash_history and of every root user to one location ? and sort somehow by name and ip of server ? – Luka Tce Sep 08 '13 at 11:54
  • Hardening and auditing is a long and complex story. again, .bash_history won't show you everything. – GioMac Sep 08 '13 at 12:04
  • I can't get auditd run as service. – Luka Tce Sep 20 '13 at 19:04
  • @LukaTce `rpm -Va "audit*"` – GioMac Sep 21 '13 at 08:54