Talk:Audit framework

From ArchWiki
Latest comment: 17 December 2022 by Fengchao in topic audit.rules


The instructions say to append rule to /etc/audit/audit.rules, but there is no such file on my system. Am I supposed to put rules into an empty file or copy a default from somewhere? Also, systemctl status auditd.service shows augenrules is looking for the directory /etc/audit/rules.d rather than the file mentioned in the instructions, so I'm not even clear whether audit.rules is correct. I don't have the directory either on my machine. --cfr (talk) 16:39, 13 December 2022 (UTC)Reply

From auditd(8), it says "During startup, the rules in /etc/audit/audit.rules are read by auditctl and loaded into the kernel. Alternately, there is also an augenrules program that reads rules located in /etc/audit/rules.d/ and compiles them into an audit.rules file."
So please help double check and update page if you have time. --Fengchao (talk) 03:46, 17 December 2022 (UTC)Reply

external documentation

I think external documentation is needed in order to novice users could understand how audit tools work. Example this article (Spanish) could provide information for Spaniard users.

—This unsigned comment is by Xan (talk) 08:01, 26 June 2023. Please sign your posts with ~~~~!