Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
0
votes
1 answer

how send alert message from script to auditd.log?

Due to auditing policies ( auditd.log is monitored), I have to send alert messages from my adhoc check scripts to auditd.log. Any idea what is best / standard solution ? I think that echo log >> auditd.log is not good idea. E.g. I have this check…
andrew
  • 209
  • 2
  • 9
0
votes
2 answers

selinux audit rule not logging anything

I am trying to audit a directory tree for read, write, and permissions change. I created the rule using auditctl -w -k media-watch, but ausearch -k media-watch only shows the creation (or deletion for debugging) of the rule, and not file…
RedTedRedemption
  • 63
  • 2
0
votes
1 answer

Email alert when private keys read from disk (honeypot, auditd)

I'd like to receive an immediate alert every time something reads the contents of my private key on Debian Linux. How can I do that? I have an RSA private key stored on my server's disk at the following…
Michael Altfield
  • 739
  • 2
  • 8
  • 23
0
votes
0 answers

Auditd - track commands (regular and sudo) of a given UID

I have some auditd rules like: -a always,exit -F arch=b32 -S execve -F euid=1002 -k mytag -a always,exit -F arch=b64 -S execve -F euid=1002 -k mytag -a always,exit -F arch=b32 -S execve -F euid=1003 -k mytag -a always,exit -F arch=b64 -S execve -F…
Ani
  • 32
  • 2
  • 13
0
votes
0 answers

Is it possible to ensure detection and logging of all attempts to copy data out of a system?

Say I have a server set-up for processing sensitive data. The few authorised users of the system are instructed not to copy any of the sensitive data out of the platform, but could in principle do so using scp etc. This is similar to my car being…
Thomas Arildsen
  • 111
  • 3
0
votes
0 answers

How to get auditd started in CentOS Linux release 8.2.2004?

I did sudo yum reinstall audit on my server running CentOS Linux release 8.2.2004. When I tried systemctl start auditd it failed. When I ran journalctl -xe I received the following output: -- Unit auditd.service has begun starting up. Sep 15…
Nona
  • 133
  • 1
  • 5
0
votes
0 answers

Why does auditd report UID 1001 is trying to mount a disk when Ubuntu upon boot?

I'm seeing a message from auditd I don't understand. My OS is Ubuntu 20.04. Every time I boot the server, an audit entry says user id 1001 (a normal user) is making a syscall to /usr/bin/mount. But that user is me (the only interactive user on the…
user450409
  • 125
  • 4
  • 16
0
votes
1 answer

I am trying to setup some auditd rules but getting error -F missing operation for auid

i am trying to setup the below rule in /etc/audit/audit.rules -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>= 1000 -F auid!=4294967295 -k delete which didn't work so i tried executing it directly from command line as so…
user438713
0
votes
1 answer

use linux auditd to log absolute everything

im trying to audit an automated task that connect to my server and exec some commands. I would like to know everything it does. Currently Im trying these rules at my audit.rules file. -a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32…
user2977753
  • 1
  • 2
0
votes
1 answer

Conflic install package solution?

I need to install auditd from package because my CentOS 6.6 server can't use yum update. But I got some problem and can't install them: rpm -i audit-libs-2.4.5-6.el6.i686.rpm audit-2.4.5-6.el6.i686.rpm warning: audit-libs-2.4.5-6.el6.i686.rpm:…
mtpumpkin
  • 1
  • 1
  • 1
  • 2
-1
votes
1 answer

linux automatic change permissions in resolv.file

In various linux servers I see how the permissions of the /etc/resolv.conf file change automatically. In state normal: -r--r--r-- 1 root root 103 Jul 4 11:50 resolv.conf In changed state: -r--r----- 1 root root 103 Jul 4 11:50 resolv.conf I…
rfmoz
  • 772
  • 9
  • 15
1 2 3
10
11