I use audit to log suspicious user actions on a workstation in my institution. I found that, in addition to logging to /var/log/audit.log, auditd also writes to /var/log/messages. Consequently, unprivileged user can view the logged record simply by typing the dmesg command. This greatly affects user privacy.
I've tried this and this, but instead of completely removing audit, I want it to still log to /var/log/audit.log.
I've also tried this: writing :programname, isequal, "audit" ~ to rsyslog.conf, but it did not work for me.
Some also suggest adding audit=0 to kernel parameter. I'm not sure if it shall disable auditd completely. Furthermore, the workstations have many active users and should not be rebooted.
Anyone have a clue?
Thanks in advance!
OS: Debian Testing
auditctl version: 2.4.5
Best Answer
Logging to /var/log/messages does happen at the same time as /var/log/messages. audit=0 will disable all audit logs period. That shouldn't stop auditing period though. Consider using
auditctl -e 0also.The audit logs that show up aren't really a "privacy concern", because if a user really wanted to know what's going on, they'd need
ausearchand otherau*commands to view the content of the logs/reports as they come up (hint, they need root). The audit logs will show the executed command among other things, but nothing beyond that (switches, other files, etc).As a side note, there's also the
pscommand. Any user can see what another user is running anyway.