Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions

votes

3 answers

How to install auditd from source in Ubuntu?

I want to set up auditd to collect its logs from remote server. I'm using Ubuntu 14.04.3 LTS. This feature seems to be disabled into Ubuntu auditd package. So, I'm going to install it from source. Where do I can download right auditd source…

asked Feb 03 '16 at 19:41

Valeria

votes

0 answers

How to log changes made in a particular file to syslog

How to log changes made in a particular file using syslog-ng. The log must contain the timestamp, hostname, user who modified the file and action performed. Is there any option other than audit in Linux, as audit generates more data in the log. Can…

linux logging windows-event-log syslog-ng auditd

asked May 20 '15 at 05:00

Arun

votes

0 answers

Folder keeps getting deleted and I can't find out why

I have a Joomla based website running on CentOS, Apache, PHP, MySQL. I am using plupload file uploader to upload the files. I'm uploading the files to /tmp/uploads directory where they are processed and then moved. For some reason and for the life…

php logging upload auditd

asked Mar 26 '15 at 08:50

Wasim

votes

1 answer

Logging SFTP activity with auditd

I am currently using auditd to log TTY activity for users that are SSH'd into my system. However, SFTP sessions are not logged in this way. Is there a way to log them using auditd or will I need to use a separate logger for SFTP?

logging sftp auditd

asked Nov 19 '14 at 15:29

Davis Yoshida

votes

2 answers

Monitor root commands issued by users

I tried to log the commands issued by the system administrators in our organization and its output using sudo plus the log_output directive as follows on the visudo file Defaults env_reset Defaults …

root sudo audit auditd

asked Nov 19 '14 at 15:28

Ignacio Mondino

votes

3 answers

Track any file changes using auditd

I try configure PCI REQ 10.5.5 "Use file integrity monitoring or change detection software on logs" Use auditd for this, rule "auditctl -w /tmp/testfile -p war" works perfectly. But if I try to use stdout redirect on file like "echo "hi" >>…

pci-dss auditd

asked May 22 '14 at 11:42

Asazio

votes

1 answer

Logging violations of rules in limits.conf

I am trying to log the details of the programs that where failed due to the limit cap defined in the limits.conf. My initial plan was to do it using the audit system. The idea was to track the system calls related to limits in the limits.conf that…

linux logging auditd signals

asked Oct 25 '13 at 14:09

PaulDaviesC

votes

0 answers

Linux Auditd: Error receiving audit netlink packet (No buffer space available)

I have some Linux servers that are getting errors like the below in the logs... auditd[1074]: Error receiving audit netlink packet (No buffer space available) I know HOW to resolve the issue (tweak the audit buffer setting in audit.rules), but I'm…

linux audit auditd buffer

asked Aug 16 '23 at 21:46

Egyas

votes

0 answers

How to configure osquery with auditd

Who has expertise on how to work with osquery (or maybe you solved this problem): Based on articles like this one - https://blog.palantir.com/auditing-with-osquery-part-two-configuration-and-implementation-87a8bba0ef48 I understand osquery can be…

linux security logging auditd

asked Apr 17 '23 at 14:18

Nullbyte42

votes

1 answer

Audit Log Partition keeps getting corrupted. How to prevent or boot anyway?

I am running RHEL7, and my audit log partition randomly (not often, but often enough to annoy me) gets corrupted, preventing me from booting. How can I either prevent the partition from being corrupted, or ignore it and allow the system to continue…

redhat rhel7 xfs corruption auditd

asked Jan 27 '23 at 18:25

dberm22

votes

0 answers

Why Firefox is trying to access .bashrc?

This Ubuntu 22.04 installation is fairly new. Why firefox is trying to read .bashrc and many other files. Does this indicate a security breach? [340664.822484] audit: type=1400 audit(1665738538.467:3862): apparmor="DENIED" operation="open"…

linux ubuntu firefox auditd snap

asked Oct 14 '22 at 10:28

chrislamp

votes

0 answers

Auditd service mysteriously stopped after 2 minutes on Ubuntu

ubuntu:~$ systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: inactive (dead) since Tue 2022-09-27 15:45:46 UTC; 1h 45min ago …

ubuntu systemd audit auditd systemd-service

asked Sep 27 '22 at 17:37

q85ts

votes

1 answer

Losing Audit Logs When Tracing a Container

As you know, Linux Audit is not installed on Ubuntu Focal by default. I installed it, and my goal is to trace what containers do. I have this seccomp profile: { "defaultAction": "SCMP_ACT_LOG", "architectures": [ …

ubuntu docker logging audit auditd

asked Aug 08 '22 at 20:17

MoeKav

votes

1 answer

CIS compliant auditd configuration on Red Hat 7/8

We have a large fleet of Red Hat 7/8 systems. We have a requirement to make sure that all systems are CIS compliant. One of the requirement is to not automatically rotate the audit logs. That is, configure the following: max_log_file_action =…

redhat auditd

asked Apr 28 '22 at 04:42

Jigar

votes

1 answer

How to install `aide` without `aide-common` in debian?

Per this post, Newer versions of Ubuntu (including 14.04) come with two packages for AIDE: aide, with the aide command and manual page, and little else aide-common, with a wrapper around that command, configuration files with rules, and cron…

ubuntu debian auditd aide

asked Jun 12 '21 at 09:56

kittygirl

Prev 1 2 3

…

11 Next