Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
2
votes
2 answers

How to determine process which makes DNS Request?

I have a server on AWS, GuardDuty started send me notifications: *** "type":"Backdoor:EC2/C&CActivity.B!DNS", *** {"domain":"libcurl.so","protocol":"UDP","blocked":false} *** is querying a domain name associated with a known Command & Control…
kbu
  • 255
  • 4
  • 14
2
votes
3 answers

Password change audit on solaris

Is it possible for the Solaris audit sub system to log all password resets for local Solaris accounts? I can't find anything in Oracle's docs, or through general googling, so I'm curious whether this can be done, or if this is a technical…
user3246693
  • 123
  • 2
2
votes
2 answers

Problems with auditd rules files

I have a problem generating auditd rules on CentOS 7. I have 2 .rules files in my /etc/audit/rules.d/ directory. Both files are owned by root and only root has access. When I reload the rules using augenrules --load then run auditctl -l it says No…
liamfit
  • 21
  • 1
  • 1
  • 2
2
votes
0 answers

How do I audit cgroup changes

I have a container process that is mysteriously changing cgroups long after it has been started. How do I track down who/what is changing it? I tried watching my audit log when manually doing a cgclassify command to switch my process and nothing got…
danielshiplett
  • 121
  • 2
2
votes
2 answers

What's stopping auditd from logging writes by Syslog when watching a Syslog file?

We've recently started using auditd on one of our Ubuntu servers. The example audit.rules file we were given has a rule like this: -w /var/log/syslog -p wra -k logs However, when syslog writes to the file, nothing gets logged by auditd. Similarly,…
simoesf
  • 81
  • 9
2
votes
0 answers

Linux Auditd tracking writes on external media

So I've been looking at ways to audit when a form of external media performs writes/ uploads on a Linux system. Currently the main solution I have come across is to simply audit when the mount and unmount syscalls occur, as tracking writes may…
wafflecoptr
  • 21
  • 3
2
votes
3 answers

What is the syslog facility for auditd logs?

Trying to forward only my auditd events by syslog, but I don't know which facility to use. I don't want to send everything to my syslog server as it would create redundancy in logging. I've set the audispd syslog plugin to active and from what I…
ThunderJack
  • 31
  • 1
  • 1
  • 5
2
votes
2 answers

How to tell if auditd has suspended logging?

If you put the following in your auditd.conf, auditd will suspend logging when you have 50MB or less space on your disk: admin_space_left = 50 admin_space_left_action = SUSPEND How can an external program, e.g. a monit check, know if auditd has…
2rs2ts
  • 325
  • 3
  • 11
2
votes
1 answer

How to enable syscall auditing in CoreOs?

Since CoreOs 766, the auditing subsystem is partially integrated: The audit subsystem has been enabled in the kernel and auditctl added to the image. Most audit events are ignored by default. The audit rules may be modified in…
0x90
  • 83
  • 8
2
votes
1 answer

Why is audispd dropping events? What is in the queue?

My audispd keeps logging lots of queue full errors. Jun 9 08:46:29 web audispd: queue is full - dropping event I'd like to understand better why the queue is filling up and whether there is a better way to resolve the problem than continually…
Max Allan
  • 303
  • 1
  • 4
  • 11
2
votes
2 answers

auditd process stops logging after logrotate script runs

I am trying to use logrotate to keep audit logs for a set period of time rather than using auditd's special rotation (from /etc/audit/auditd.conf). I have changed the max_log_file_action to IGNORE in that file. The following is my logrotate…
Linux2012
  • 21
  • 1
  • 3
2
votes
1 answer

log bash command centralized server or any auditd saas

I'm looking for a way to track our sysmin work, in the servers. Lets say sysmin 1 and sysmin 2 have access to any server but we need to make sure and track anything that they do in our server. Something like: server 1 ---- auditd or…
Adam Ramadhan
  • 173
  • 1
  • 2
  • 9
2
votes
1 answer

Sudden new S11auditd in /etc/rc3.d

We have several machines running under Fedora 12. We have to deal with complete reinstallation quite often as our product comes with the whole distibution. I've noticed that sometimes soon after new installation a /etc/rc3.d/S11auditd becomes couple…
akalenuk
  • 543
  • 2
  • 6
  • 17
2
votes
1 answer

difference between success and failed event in auditd/aureport

The aureport command has two options that limit the list of displayed events to those that were successful and those that failed. Per the man page: --failed Only select failed events for processing in the reports. The default is both…
Christopher Neylan
  • 487
  • 5
  • 15
2
votes
2 answers

Auditing changes to the audit log

I have configured auditd for PCI compliance reasons PCI states that existing logs cannot be changed without generating an alert This article http://ptresearch.blogspot.com/2010/11/requirement-10-track-and-monitor-all.html recommends doing this: -w…
user185704
  • 55
  • 7
1 2
3
10 11