Sample Header Ad - 728x90

FreeBSD: How do you use auditd for logging when files and folders are opened, read, moved, deleted or modified?

1 vote
1 answer
3407 views
freebsd linux-audit freenas auditdistd
How do you use auditd for logging when files and folders are opened, read, moved, deleted or modified? Looking at the information here , i don't see how to accomplish the task. I'm trying to get a log of folder and file access/modification on a FreeBSD system. File access is via Samba share and i'm logging via SMB but in some rare instances SMB doesn't log a event (like today when a folder was moved, it wasn't logged but I moved a folder later and it was logged). Because of that, i'm looking for a more accurate alternative. **UPDATE** Here is what is not working with auditd on a FreeNAS 11 FreeBSD system. Check the options kernel was compiled with (looking for AUDIT): 
sysctl kern.conftxt | grep AUDIT
> options	AUDIT
My /etc/security/audit_control 
#
# $FreeBSD$
#
dir:/var/audit
dist:off
flags:lo,aa,fr,fw,cl,fa,fc,fd
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
My /etc/security/audit_user: 
#
# $FreeBSD$
#
testuser:lo,aa,fr,fw,cl,fa,fc,fd:no
root:lo:no
service auditd restart && service auditd status results: 
Trigger sent.
Starting auditd.
auditd is running as pid 45763.
Based on the man audit_user pages > The flags field sets the system-wide default preselection mask for > attributable events. In the example above, successful and failed > login/logout events as well as authentication and authorization are > audited for all users. I should at least be getting login/logout logs for testuser and root. And because of: > Per-user and global audit preselection configuration are evaluated at > time of login, so users must log out and back in again for audit changes > relating to preselection to take effect. I then logged out and back in as testuser via ssh, created some directories and files, and deleted them. I did the same thing via a SMB share and then logged in as root to check trail. praudit /var/audit/current results: 
header,56,11,audit startup,0,Fri May 24 09:50:23 2019, + 398 msec
text,auditd::Audit startup
return,success,0
trailer,56
Checking all available trails with praudit /var/audit/*: 
header,56,11,audit startup,0,Wed May 22 14:41:33 2019, + 781 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:44:10 2019, + 766 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:54:51 2019, + 31 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:55:04 2019, + 451 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:55:04 2019, + 451 msec
text,auditd::Audit startup
return,success,0
trailer,56
I don't see any logs.
Asked by jtlindsey (333 rep)
May 22, 2019, 10:21 PM
Last activity: Dec 29, 2020, 12:02 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "freebsd"
More questions tagged "linux-audit"
More questions tagged "freenas"
Footer Ad - 728x90