Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
4
votes
1 answer

View auditd logs in journalctl

I'm using CentOS 7. trying to view auditd logs in journalctl When I try journalctl -u auditd I see the following output: -- Logs begin at Wed 2018-09-05 08:59:19 EDT, end at Wed 2018-09-19 15:01:01 EDT. -- Sep 05 12:59:25 centos7 systemd[1]:…
kenlukas
  • 3,101
  • 2
  • 16
  • 26
4
votes
2 answers

How to log all commands run on Linux including their arguments (parameters)?

How can I log all commands executed on Linux, including their command-line arguments (parameters)? So, for example, if someone runs: rm -rf /tmp/foo I would see a log entry similar to this: 2016-01-01 18:00:00 user=bob command='rm -rf…
Neil
  • 2,425
  • 8
  • 36
  • 45
4
votes
0 answers

Why does ausearch skip entries?

I am trying to use the ausearch tool search my auditd logs for specific entries. The problem is that most of the entries in audit.log appear to be unsearchable. Searching with matching parameters often returns , even though there is a…
user339676
  • 171
  • 5
4
votes
1 answer

Auditing in linux

I am trying to setup a robust auditing mechanism on my centos 6.x boxes. I tried and tested various auditing tools like auditd aide psacct But none is full filling my requirement. My requirement is quite simple and I know one auditing system…
thinkingmonster
  • 171
  • 3
3
votes
1 answer

suppress audit events from a specific user

I'm trying to track down the source cause of a breakin on a serverhosting customer's website. auditd is a great help in showing me what directory to look in when yet another bit of malware (the site is something of a mess, but not mine to clear up…
Shadur
  • 1,337
  • 1
  • 11
  • 20
3
votes
1 answer

Sending auditd records to my audispd plugin

After setting auditctl's rules, I want to send those matched records to my Python script for further analysis. These are the involved files: auditd records: type=PATH msg=audit(1451011319.268:533): ... type=CWD msg=audit(1451011319.268:533): …
Matt Elson
  • 141
  • 1
  • 4
3
votes
1 answer

How to log execution of a specific binary/script using auditd or other

I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script. I would like to log…
Rboreal_Frippery
  • 131
  • 1
  • 3
3
votes
1 answer

Disable auditd immutable mode without rebooting

Hello I've been tasked with fixing up a auditd policy but it's on a server that's actively being used and the policy installed was set immutable. I've tried searching and everyone recommends rebooting to escape immutable mode… But is there really no…
John Musbach
  • 31
  • 1
  • 1
  • 2
3
votes
1 answer

How to install auditd on CentOS?

How to install auditd on CentOS 6.4 x64 ? I want to Log all commands run by admins Log all commands run by admins on production servers Edit: I can't run aduditd service I did with this tut enter link description here sudo yum install audit sudo…
Luka Tce
  • 37
  • 1
  • 2
  • 7
3
votes
1 answer

Using auditd to watch a directory non-recursively?

I'm working on a Cent 6 Cpanel machine, and some mystery script is changing the permissions of home directories (!) to 777. I've ruled out all the easy fixes, so I just need to set up a watch on the directory and wait until it happens again. The…
steve c c
  • 158
  • 5
3
votes
2 answers

How to figure out which processes are deleting files from a specific directory?

I'm trying to figure out which processes are deleting files from a specific directory, so I want to set up and run auditd on my system. I've set up the following rule in audit.rules: -w S unlink -S truncate -S ftruncate -a exit,always -k…
Tola Odejayi
  • 334
  • 1
  • 4
  • 19
3
votes
2 answers

Why can't I run ausearch (part of auditd) remotely over SSH?

Any idea why the following doesn't work? It hangs with no output. desktop$ ssh myserver "sudo ausearch -k my_key" However, the following works. It outputs the auditing history of this key from auditd. desktop$ ssh myserver myserver$ sudo ausearch…
richardkmiller
  • 255
  • 2
  • 12
2
votes
0 answers

Auditd how to exclude everything

I am trying to exclude everything but the things I want in Auditd, however the things I've tried, seem to log a lot more details, the majority are irrelevant. -a never,exclude -F msgtype=CWD -a never,exclude -F msgtype=USER_ACCT -a never,exclude -F…
Tbuermann
  • 41
  • 1
  • 1
  • 4
2
votes
0 answers

Auditd - log all ssh sessions

We have about a thousand servers / virtual machines, and currently keeping track of who did what where isn't easy. And to make it worse, clients have access to their own machines and often don't know themselves who may have done what with their…
Ulrar
  • 387
  • 6
  • 23
2
votes
1 answer

Name rotated auditd logs with date

Can auditd use a date instead of an integer to name its rotated audit logs? Right now I have audit.log audit.log.1 audit.log.2 ... When audit.log fills up all of the files are rotated one number higher. I have a script that backs up the audit logs,…
spiffytech
  • 1,063
  • 2
  • 11
  • 17
1
2
3
10 11