Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [audit]

Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system

325 questions
2
votes
2 answers

Is there a reverse Proxy for REST interfaces, which requires approval?

My organization employs a number of services that expose REST interfaces. POST, PUT or DELETE requests to such an interface can be destructive. Using firewalls and user authentication, we can restrict the accces to authorized personel. I'd like to…
Jan
  • 121
  • 2
2
votes
1 answer

What is causing WMI to delete registry keys

on one of our servers registry keys keep disappearing. These keys contain certificate keys for our sophos av management console and parts of the enterprise console stop working after each reboot (the message router to be specific). After enabling…
chewbakka
  • 401
  • 4
  • 8
2
votes
1 answer

Monitoring Linux system Calls (efficiently)

What is the fastest way to monitor linux system calls and log them to a file? This post has some great info: https://security.stackexchange.com/questions/8485/monitoring-system-calls-in-a-reliable-and-secure-way?lq=1 It's seems that the Audit…
MIke
2
votes
1 answer

Domain member server causing continuous login failure for Administrator account

One of our domain member servers keeps producing continuous login failures (caught in Event viewer via Audit Policy) almost every minute. Here's a typical failure log (names & IPs obfuscated): Event Type: Failure Audit Event Source: Security Event…
miCRoSCoPiCeaRthLinG
  • 283
  • 1
  • 5
  • 17
2
votes
3 answers

Logon attempts - Tons of failure audits in Event Viewer on Domain Controller (Server 2003)

This is what the event looks like, under Security logs. There are tons of them. Is someone trying to brute force the network? This server is also used as a terminal services server.. Thanks any advice / help would be greatly…
Samuel Pardee
  • 33
  • 1
  • 1
  • 4
2
votes
1 answer

auditctl - logging when a user logs out

Is it possible to log when a user logs out of a session on Linux using Auditctl? My current audit.rules relating to users are: -w /etc/login.defs -p xwa -k login -w /etc/securetty -p xwa -k login -w /var/log/faillog -p xwa -k login -w…
Kiksy
  • 327
  • 1
  • 5
  • 11
2
votes
0 answers

Audit access to USB drives

Is there a way to audit access to USB drives with built-in windows logging? We already do GP based auditing on our server's NTFS file system, but how do we extend that to workstations? There are no guaranteed of what kind of file system will be…
user3280964
  • 208
  • 2
  • 10
2
votes
2 answers

Restore legacy audit policies on Windows Server 2008 R2

Recently, I was trying to reduce spam of my security audits by disabling auditing of "Filtering Platform Packet Drop". In a week's time, I get enough of these audits the fill a 200Mb logfile. I tried disabling this with an Advanced Audit Policy.…
Drise
  • 177
  • 2
  • 8
2
votes
1 answer

Cannot disable Windows 2008 R2 file access auditing

I was trying to audit file access in a Windows 2008 R2 server, and (my fault) enabled it for the entire volume (say, disk e:). Of course I was getting lots of entries in the security log, a big amount to handle -and even bigger when trying to…
user190488
  • 21
  • 1
2
votes
1 answer

Windows 2008 file server: How to find unused permissions?

Following some security breach in my office and stealing data from the company, my manager gave me the task of finding all the folders on the file server which users have read access to and they didn't use that permission in the last 3 months. Is…
Itai Ganot
  • 10,644
  • 29
  • 93
  • 146
2
votes
1 answer

Does Windows contain default System ACLs for auditing purposes?

While trying to test SACL creation on a filesystem object, I noticed that it was not logging to the event log. After some digging, I found that I had to flip the "master switch" in Local Security Policy in order for the entries to be logged. So, I…
Peter Grace
  • 3,456
  • 1
  • 27
  • 43
2
votes
2 answers

SELinux - Allow multiple services access to same /home/dir

I currently have SELinux enabled and have been able to configure apache to allow access to /home/src/web with a chcon command granting the 'httpd_sys_content_t' type. But now I am trying to serve the rsyslogd.conf file from the same directory, but…
Mike Purcell
  • 1,708
  • 7
  • 32
  • 54
2
votes
3 answers

Windows Server 2008R2 - Auditing changes to a service account

I want to setup auditing so I can see if any changes are being made to a service account (any changes) in AD which is used to run a backup application. What do I need to enable in Group Policy Management: Audit Directory Service changes, or Audit…
PnP
  • 1,684
  • 8
  • 39
  • 65
2
votes
5 answers

open source asset tracking auditing for servers and workstations

need something quick and free for both domain based and workgroup based auditing of pc's and their hardware. all i want is hdd size, cpu and memory. doesn't have to be pretty just easy to deploy on the network. if an agent is required no big…
dasko
  • 1,244
  • 1
  • 22
  • 30
2
votes
2 answers

Auditing changes to the audit log

I have configured auditd for PCI compliance reasons PCI states that existing logs cannot be changed without generating an alert This article http://ptresearch.blogspot.com/2010/11/requirement-10-track-and-monitor-all.html recommends doing this: -w…
user185704
  • 55
  • 7
1 2 3
21 22