Questions tagged [audit]

Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system

325 questions
2
votes
0 answers

How do I audit cgroup changes

I have a container process that is mysteriously changing cgroups long after it has been started. How do I track down who/what is changing it? I tried watching my audit log when manually doing a cgclassify command to switch my process and nothing got…
2
votes
0 answers

Set audit policy, overriding group policy

My goal is to configure advanced audit policy for file system objects on some Windows machines, such that it overrides group policy. I need this to work for both Windows Server 2008 (R1) and later editions. From what I've read, this is possible by…
Cocowalla
  • 623
  • 1
  • 5
  • 17
2
votes
2 answers

What's stopping auditd from logging writes by Syslog when watching a Syslog file?

We've recently started using auditd on one of our Ubuntu servers. The example audit.rules file we were given has a rule like this: -w /var/log/syslog -p wra -k logs However, when syslog writes to the file, nothing gets logged by auditd. Similarly,…
simoesf
  • 81
  • 9
2
votes
1 answer

capture commands executed remotely using SSH in Auditd

I have configured Auditd in a RHEL6 server and enabled TTY logging using pam_tty_audit.so enable=* in /etc/pam.d/system-auth and /etc/pam.d/password-auth I don't have any other rules configured in audit.rules file as I am interested in only…
Sravan
  • 121
  • 1
  • 3
2
votes
4 answers

network auditing software for detecting new hosts?

So, I have been tasked with researching and deploying some kind of network auditing software. All this really needs to do is be able to ping/TCP-connect-scan a handful of internal /24 networks at regular intervals (every 24h or whatever) and send…
law
  • 1,490
  • 3
  • 11
  • 11
2
votes
0 answers

File Access Auditing on Server 2012

I'm implementing file auditing on a directory on a IIS server in order to get notification when someone attempts to modify or delete any documents. I set Advanced Auditing Policy\Audit Policies\Object Access:File System to audit Success and…
garethTheRed
  • 4,539
  • 14
  • 22
2
votes
1 answer

Non-intrusive stored-procedure auditing on Orace 10g

I'm working in a environment where there are a large variety of legacy client programs. I'm trying to get an idea of which programs use what stored procedures. Is there a way to audit access to a stored procedure without having to modify said…
2
votes
1 answer

Auditing Registry events through AD

I want to audit registry related events (modify key delete key etc) , so i enabled it via group policy and setup a "Global Object Access Auditing" for auditing on "Authenticated Users". Unfortunately the event count it too high and almost 95% of…
2
votes
1 answer

Windws Server 2012 R2 Event Log / Audit deleted files / Only last minutes visible

My goal: I want to find out who deletes files on a network share. Users are sometimes complaining that a file is missing and as usual the others are to blame. I have file auditing enabled for this network shares. If I go to the event viewer to have…
2
votes
0 answers

Audit RDP security layer used for each logon

I'm looking for a way to monitor the security layer used when a user log on a windows 2012 R2 server with RDP (SSL or RDP, encryption level). I haven't found anything useful in "Advanced Audit Policy Configuration" in GPM editor but perhaps I miss…
2
votes
1 answer

How to enable syscall auditing in CoreOs?

Since CoreOs 766, the auditing subsystem is partially integrated: The audit subsystem has been enabled in the kernel and auditctl added to the image. Most audit events are ignored by default. The audit rules may be modified in…
0x90
  • 83
  • 8
2
votes
0 answers

Audit IP change on a Windows machine

I want to get an audit (event in the event viewer) for every change in the IP address (static or DHCP). I tried setting an audit configuration on the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces'for…
yoni
  • 21
  • 2
  • 5
2
votes
1 answer

Do any OpenSSH 6.7 `preauth` error log entries warrant specific human attention?

A Linux (specifically Debian Jessie) server that needs to be exposed to the Internet is spitting out various OpenSSH 6.7 preauth errors in the logs. For example, I'm getting (timestamps elided for clarity): error: Received disconnect from A.B.C.D:…
user
  • 4,335
  • 4
  • 34
  • 71
2
votes
1 answer

Audit trail for all actions taken with admin privileges

PCI DSS 10.2 says, "Implement automated audit trails for all system components to reconstruct the following events:" and 10.2.2 continues, "All actions taken by any individual with root or administrative privileges." I am struggling to make this…
Zek
  • 568
  • 3
  • 10
  • 24
2
votes
1 answer

Checking Who Applied GPO

I know how to check what GPOs are applied on systems and users, but I'm wondering, is there a way to check who applied a specific GPO?
cmorris14
  • 181
  • 2
  • 3
  • 11