Enabling Audit for System Calls

A standard openSUSE system has auditd running by default. There are different levels of auditing activity available:

Basic Logging

Out of the box (without any further configuration) auditd logs only events concerning its own configuration changes to /var/log/audit/audit.log. No events (file access, system call, etc.) are generated by the kernel audit component until requested by auditctl. However, other kernel components and modules may log audit events outside of the control of auditctl and these appear in the audit log. By default, the only module that generates audit events is Novell AppArmor.

Advanced Logging with System Call Auditing

To audit system calls and get meaningful file watches, you need to enable audit contexts for system calls.

As you need system call auditing capabilities even when you are configuring plain file or directory watches, you need to enable audit contexts for system calls. To enable audit contexts for the duration of the current session only, execute auditctl -e 1 as root. To disable this feature, execute auditctl -e 0 as root.

To enable audit contexts for system calls permanently, open the /etc/sysconfig/auditd configuration file as root and set AUDITD_DISABLE_CONTEXTS to no. Then restart the audit daemon with the rcauditd restart command. To turn this feature off temporarily, use auditctl -e 0. To turn it off permanently, set AUDITD_DISABLE_CONTEXTS to yes.