Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
1
vote
1 answer

auditd doesn't log chmod at all

I run the following, with the idea that I want to log any changes to the permissions of the home/username directory: auditctl -w /home/username -p a Then I run the following: tail -f /var/log/audit/audit.log and I watch changes. I open another…
Sarge
  • 21
  • 4
1
vote
0 answers

CoreOS logs flooded with "Unknown permission status for class system"

I am trying to debug an issue, and I was wondering if this rings a bell to anyone: My logs get flooded with audit: type=1107 audit(1479418315.344:1053): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='Unknown…
m6a-uds
  • 147
  • 1
  • 1
  • 7
1
vote
1 answer

auditd - Getting only EXECVE in ausearch?

I'd like to use the auditd daemon to log whatever is run as or by root on our servers. To that effect, I added the following lines to /etc/audit/audit.rules: # Log all commands run as (or by) root -a exit,always -F arch=b64 -F euid=0 -S execve -k…
Alexander Skwar
  • 111
  • 3
1
vote
0 answers

How to record audit logs for only one specified file in FreeBSD?

On Red Hat Linux I can specify the file I want to record audit logs for with this command: auditctl -a exit,always -F path=/tmp/foo.txt -F perm=war I cannot figure out how to do a similar thing on FreeBSD. The only way I've found to record audit…
Mateusz Piotrowski
  • 168
  • 9
1
vote
0 answers

Audit only changes to files

I'm using Auditd to record any changes to files. Here is rule: # auditctl -l LIST_RULES: exit,always dir=/var/local/ (0x1e) perm=w key=state-files but if I run: # ausearch -i -k state-files command I got: ... type=PATH msg=audit(04/27/16…
QkiZ
  • 634
  • 2
  • 9
  • 22
1
vote
0 answers

auditd: Difference between watch and syscall

There appear to be two ways of specifying an auditd rule to watch a given file or folder. The first uses -a -a exit,always -F dir=/path/to/file -F perm=wa -F success=1 And the second uses -w -w /path/to/file -p wa Aside from one being obviously…
Marcus Downing
  • 788
  • 10
  • 18
1
vote
1 answer

Access history for NFS server

I have a server (OS: Debian), in which nfs-kernel-server is installed and run. When a NFS client access or read, write to a file or directory in the NFS share directory, I want to capture and save all information about date, time, client-ip, action,…
Waveter
  • 564
  • 2
  • 6
  • 23
1
vote
2 answers

Auditd multi-line log format

It seems that for any given "event" that auditd picks up, there are on the order of four log lines added to the auditd log. Is there any predictable pattern that can be used to group log file lines into a single event? Specifically, I'm looking for…
JDS
  • 2,598
  • 4
  • 30
  • 49
1
vote
1 answer

Auditd is writing a lot to logs

I recently tried to use auditd to find what's creating tmp files on a CentOS 5 x64 OS. I removed the rules: # auditctl -l No rules but there is a lot of writing into auditd logs. If I check the logs using ssh: # watch ls -la /var/log/audit/ auditd…
NickSoft
  • 278
  • 6
  • 23
1
vote
1 answer

When does augenrules run automatically on CentOS 7.1?

I need to update /etc/audit/audit.rules. I would replace the file restart the service, but I found in the log a call to augenrules during initial startup of the machine. Apart from the initial startup, is there any time when augenrules runs…
David Resnick
  • 195
  • 3
  • 13
1
vote
0 answers

audisp-remote signal USR1 works as root, not with sudo

So I have a weird problem that I'm running out of ideas to troubleshoot. My RedHat machines are using audisp-remote to send syslog messages to a central server. audisp-remote will respond to the USR1 signal by dumping a line of status info into…
hymie
  • 424
  • 2
  • 11
1
vote
1 answer

How do audit changes to dir via symlink?

Use of the auditd system to watch a directory via a symlink hardly triggers any logs. Here is the situation: # pwd /home/root/serverfault # ls -l total 4 drwxr-xr-x 2 root root 4096 Sep 1 15:12 dir lrwxrwxrwx 1 root root 3 Sep 1 15:12 p ->…
pdp
  • 778
  • 1
  • 7
  • 16
1
vote
0 answers

Samba module full_audit is logging actions that didn't occured

Our company has a file server, a Debian Squeeze 64 bits, sharing some folders to Linux servers using NFSv2 and to Windows workstations using Samba. I want to log access to a specific set of shared files. I installed and configured the full_audit…
dbourcet
  • 185
  • 1
  • 2
  • 11
1
vote
1 answer

auditd auid changes after su

I try to implement individual accountability for my RHEL systems using selinux and the audit.log. I followed the instructions given here: Log all commands run by admins on production servers If I understand it correctly, the pam_loginuid.so should…
fetch101
  • 88
  • 6
1
vote
1 answer

How to properly look for an info about auditd being turned off from init?

I have a mystery on my hands. One day /etc/rc5.d/S11auditd became /etc/rc5.d/K88auditd and no one takes responsibility for it. It looks like it just happened by itself, which is hardly plausible and requires a little investigation. Assuming default…
akalenuk
  • 543
  • 2
  • 6
  • 17
1 2 3
10 11