A standard openSUSE system has auditd running by default. There are different levels of auditing activity available:
Out of the box (without any further configuration) auditd logs only
events concerning its own configuration changes to
/var/log/audit/audit.log
. No events (file access,
system call, etc.) are generated by the kernel audit component until
requested by auditctl. However, other kernel components and modules
may log audit events outside of the control of auditctl and these
appear in the audit log. By default, the only module that generates
audit events is Novell AppArmor.
To audit system calls and get meaningful file watches, you need to enable audit contexts for system calls.
As you need system call auditing capabilities even when you are
configuring plain file or directory watches, you need to enable audit
contexts for system calls. To enable audit contexts for the duration of
the current session only, execute auditctl -e 1 as
root
. To disable this feature, execute auditctl -e
0 as root
.
To enable audit contexts for system calls permanently, open the
/etc/sysconfig/auditd
configuration file as
root
and set AUDITD_DISABLE_CONTEXTS
to
no
. Then restart the audit daemon with the
rcauditd restart command. To turn this feature off
temporarily, use auditctl -e 0. To turn it off
permanently, set AUDITD_DISABLE_CONTEXTS
to
yes
.