Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions

votes

1 answer

CentOS doesn't boot with "A stop job is running for Security Auditing Service" message

CentOS prints the following during boot [ *** ] A stop job is running for Security Auditing Service (9s / 1min 30s) and then switches into the single user mode.

asked Aug 05 '21 at 16:09

McLayn

vote

0 answers

Ubuntu - Don't apply audit policy for specific process

I am using a 3rd party logging service (LogDNA) to centralise my server logs, but the agent installed on the server is actually causing the generation of additional and unnecessary logs. My audit policy includes the line: -w /var/log/audit -p rwxa…

ubuntu-18.04 auditd

asked Oct 18 '19 at 09:40

Alex Currie-Clark

vote

0 answers

How can I control the audit backlog limit without the auditd package installed?

I would like to use OSQuery instead of the Linux audit daemon. In my testing on Ubuntu 18.04, if OSQuery binds to the kernel security module and the auditd package is installed, it complains about audit messages being malformed. Removing the…

audit auditd

asked Jul 26 '19 at 19:15

Craig M

vote

1 answer

Configure auditd to monitor the execution of only one command

We have Ansible in place I want to set up audit which logs who executes a play.. I want therefore only monitor the execution of the command ansible or ansible-playbook. I can configure Ansible to log all command using this: -a exit,always -F…

ansible-playbook auditd

asked Jul 12 '19 at 15:21

zn553

vote

1 answer

Record ssh REMOTE_USER in audit or history logs

In our company we usually have a single production user user and we ssh to our servers via pasword-less login with ssh keys. Now, quite a few people work on those servers and sometimes we need to understand why changes were made and who made them.…

linux bash auditd

asked Dec 24 '18 at 21:57

Roman

vote

1 answer

Permission denied when adding audit rule in audisp plugin

I'm trying to write an audisp plugin on a Linux CentOS 7 VM. Instead of statically setting the audit rules via /etc/audit/rules.d/, I wanted to add rules dynamically in the plugin using libaudit interfaces (based on some system settings). My code…

linux selinux auditd

asked Nov 12 '18 at 06:01

Nickleman

vote

1 answer

Audit file modifications over ssh in linux

I wanted to monitor all the modifications made to a file in a Linux server (Redhat). I made some research and found this auditing tool which I have already installed and configured using following commands: yum install audit #…

linux ssh redhat unix auditd

asked Oct 22 '18 at 17:15

chaitanya gudur

vote

1 answer

Redirect Auditd.log data to rsyslog in RHEL-7

I would like to redirect the auditd log data into rsyslog instead of audit.log file. I see that by default in the /etc/audit/auditd.conf the following line has been included to redirect it to log_file = /var/log/audit/audit.log Is it possible to…

syslog rsyslog rhel7 auditd

asked May 23 '18 at 17:27

anish anil

vote

2 answers

Linux SSH audit for failed root login

Let's assume there are two servers ( Server A and Server B ). I am seeing root ssh failed login attempted from Server A to Server B. ssh for root login has been disabled for both of the severs. I would like to find out all the command history in…

linux ssh unix auditd

asked May 22 '18 at 13:49

somu

vote

1 answer

auditctl doesn't stores reads

So I have this rule on auditctl: -w /home/ec2-user/myfile -p rwa -k key-name But when I run ausearch -f /home/ec2-user/myfile or check the logs in /var/log/audit/audit.log, I can't see any reading record for that file, even when I am running cat,…

linux permissions audit auditd

asked May 11 '18 at 23:51

Simon Ernesto Cardenas Zarate

vote

1 answer

Can auditd logs be modified? (Security, shell monitoring)

I recently set up auditd and enabled TTY logging so I could give someone non-root shell access and monitor what they're doing. (For what it's worth I gave them jailshell access, a cPanel feature that restricts their access to only their user…

linux security shell auditd

asked May 10 '18 at 05:07

Dan

vote

0 answers

Ubuntu 14.04.5 Need To Know If/When auditd Stops/Crashes

I have a security requirement to take some action (halt or reboot to single user mode) when/if auditd stops or crashes. I have set up auditd.conf to handle running out of disk space. Somehow I don't think auditd can audit itself! Can I somehow use…

ubuntu auditd

asked Feb 28 '18 at 01:55

Gary Wemmerus

vote

0 answers

Solaris 11 Auditing, audit_control file cannot be found

First of all I would like to say I'm not a Linux/Solaris guy, but just assigned task to look at 1 particular item in hardening checklist, so thinking to seek help here to understand more. From the current checklist there are these command…

solaris auditd hardening

asked Feb 27 '18 at 10:59

nlks

vote

1 answer

auditctl: Error - nested rule files not supported

I'm trying to list the rules in a rules file using auditctl, whenever I do: auditctl -R audit.rules -l; I receive the error Error - nested rule files not supported. I've gone so far as to empty the rules file I'm trying to load, but I still get…

audit auditd

asked Feb 05 '18 at 15:31

Breedly

vote

0 answers

Centos 7 auditing pipe-user-pages-soft being exceeded

The following patch introduced behaviour where a user has the default buffer size of new pipes changed if the total amount of memory used by pipes exceeds a threshold. https://lkml.org/lkml/2016/1/18/171 Is there a way to use auditd to trigger on…

linux-kernel auditd

asked Jan 09 '17 at 13:45

dom

Prev 1 2 3

…

10 11 Next