barish Posted June 28, 2022 Share Posted June 28, 2022 (edited) I am not shure if this is board specific so I post it here and hope that you might be willing to try this on your board: - I installed audit: apt install auditd - I set up a rule for a file audit should watch: auditctl -w /boot/armbianEnv.txt -p wa - I change or touch the file being watched: touch /boot/armbianEnv.txt - I have a look at the log of audit: cat /var/log/audit/audit.log And then ––– I see nothing... Any hints what's going wrong? My guess is that the kernel might be lacking the audit module?! Edited June 28, 2022 by barish 0 Quote Link to comment Share on other sites More sharing options...
Werner Posted June 28, 2022 Share Posted June 28, 2022 I assume the auditd would notice lacking kernel module rather than doing nothing. Did you check dmesg, syslog or kern.log? 0 Quote Link to comment Share on other sites More sharing options...
barish Posted June 28, 2022 Author Share Posted June 28, 2022 Found this in /var/log/kern.log : Jun 28 09:14:51 localhost kernel: [ 0.026499] audit: initializing netlink subsys (disabled) Jun 28 09:14:51 localhost kernel: [ 0.026793] audit: type=2000 audit(0.024:1): state=initialized audit_enabled=0 res=1 And I tried auditd on another board of mine (Olinuxino micro) also running Buster, where it is working fine. So either it is a board topic or it's a stupid user topic... 😕 0 Quote Link to comment Share on other sites More sharing options...
Werner Posted June 28, 2022 Share Posted June 28, 2022 audit seems enabled in mvebu64 current: https://github.com/armbian/build/blob/master/config/kernel/linux-mvebu64-current.config So hard to tell... Edit: is SELINUX enabled? Seems like this or similar is necessary to make use of audit:# Quote Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for logging of avc messages output). System call auditing is included on architectures which support it. 0 Quote Link to comment Share on other sites More sharing options...
barish Posted June 29, 2022 Author Share Posted June 29, 2022 Thanks @Werner, as I understand it, audit is a component of SELinux, but can be activated standalone, too. I don't know how to troubleshoot this, all output (systemctl status auditd) is identical to a working auditd on other board, just the log file stays empty. For the record, I am running Armbian 21.02.3 Espressobin Debian buster current, kernel is 5.10.21-mvebu64 . 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.