I use audit
to log suspicious user actions on a workstation in my institution. I found that, in addition to logging to /var/log/audit.log
, auditd
also writes to /var/log/messages
. Consequently, unprivileged user can view the logged record simply by typing the dmesg
command. This greatly affects user privacy.
I've tried this and this, but instead of completely removing audit
, I want it to still log to /var/log/audit.log
.
I've also tried this: writing :programname, isequal, "audit" ~
to rsyslog.conf
, but it did not work for me.
Some also suggest adding audit=0
to kernel parameter. I'm not sure if it shall disable auditd
completely. Furthermore, the workstations have many active users and should not be rebooted.
Anyone have a clue?
Thanks in advance!
OS: Debian Testing
auditctl version: 2.4.5
Best Answer
Logging to /var/log/messages does happen at the same time as /var/log/messages. audit=0 will disable all audit logs period. That shouldn't stop auditing period though. Consider using
auditctl -e 0
also.The audit logs that show up aren't really a "privacy concern", because if a user really wanted to know what's going on, they'd need
ausearch
and otherau*
commands to view the content of the logs/reports as they come up (hint, they need root). The audit logs will show the executed command among other things, but nothing beyond that (switches, other files, etc).As a side note, there's also the
ps
command. Any user can see what another user is running anyway.