Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions

vote

1 answer

Ignore specific types with auditd

I've recently been playing around with auditd and trying to cut out some of what it is logging. Here is my audit.rules entry to log execve # First rule - delete all -D -a always,exit -F arch=b64 -S execve -a always,exit -F arch=b64 -S vfork -a…

linux security auditd

asked Nov 20 '13 at 22:43

MyelinSheath

vote

0 answers

How can I get auditd on RHEL6 to dispatch forwarded messages?

Using RHEL6, I currently have audispd setup to send logs to a remote server. The remote server successfully receives the messages, and writes them to the remote audit log. My problem is, I can't seem to get the forwarded messages(local ones work) to…

rhel6 auditd

asked Nov 07 '13 at 16:44

user2958020

vote

1 answer

How does fastCGI PHP alter a file and escape detection by auditd?

The other day I set up a little shell script on a Debian server to send me an email when files change; it looks like this: #!/bin/sh items=`find /var/www/vhosts -regex ".*/httpdocs/.*" -newer files_start -ls` if [ ! -z "$items" ] then touch…

php security debian auditd

asked Aug 24 '13 at 02:10

Peter Rowntree

vote

1 answer

pam_tty_audit apparently not working

I just compiled pam_tty_audit module, because my Linux distro doesn't include it with the usual PAM modules. I included to the /etc/common-session the configuration line, as suggested in this question. On my /var/log/messages I got a message each…

linux pam auditd

asked May 30 '13 at 16:10

JoseLSegura

vote

1 answer

How to check which processes are deleting files without using inotify or auditd?

I'm trying to figure out which processes are deleting files from a specific directory on my CentOS server. I looked at inotify, but all this does is to tell me how many file deletions are occurring; it does not tell me what process run by which user…

monitoring io inotify auditd

asked Oct 01 '12 at 18:08

Tola Odejayi

vote

0 answers

Unexpected jBoss crash and auditing signals

We're experiencing unexpected JBoss crashes on a semi-regular basis. JBoss 5 is running on RHEL6 in this case. I believe this is related to a sigusr1 sent to the JBoss process. The JBoss server logs simply end, nothing is logged at all regarding…

linux signals auditd

asked Sep 18 '12 at 10:23

Antitribu

1,719
3
23
37

vote

1 answer

auditd rule for number of logins

I am using Debian squeeze and installed auditd on it. When I run aureport it always shows Number of logins = 0 and Number of failed logins = 0. What rule should be added in audit rules for recording these parameters?

debian-squeeze auditd

asked Mar 09 '12 at 06:11

chinmayv

vote

3 answers

problem of setting audit rules: Syscall name unknown: stime

I am setting audit rules in /etc/audit/audit.rules. As the requirement : The audit system should be configured to audit all administrative, privileged, and security actions. So I add one line into /etc/audit/auditd.rules: -a exit,always -S stime -S…

redhat audit security auditd

asked Sep 10 '10 at 05:09

zhaojing

vote

1 answer

How can I pick up vsftpd logins with auditd and its prelude plugin?

I have a server running auditd and prelude with the audisdp-prelude plugin. Currently I get events for several types of logins, like sshd and gdm. However I don't seem to ever get login info for vsftpd. I know that I can change vsftpd's…

ftp auditd

asked Aug 17 '10 at 14:53

tharris

vote

0 answers

How to set proctitle to ascii in auditd?

I configured auditd to send the logs to SIEM through rsyslog. But when I get those logs the proctitle is in hex. Ex.: <134>Aug 25 17:08:44 vmauditd tag_audit_log: node=vmauditd type=PROCTITLE msg=audit(1692983317.146:7444):…

rsyslog audit auditd

asked Aug 25 '23 at 17:23

Sandson Costa

vote

1 answer

auditd.conf - when is "verify_email" actually checked?

When using an email address in /etc/audit/auditd.conf, there is an option verify_email which is defined as, This option determines if the email address given in action_mail_acct is checked to see if the domain name can be resolved. This option must…

auditd

asked Aug 18 '23 at 19:46

J'e

vote

1 answer

Audit log emails not going to the correct address

On Ubuntu 20, I'm trying to send audit logs to destination@example.com. I do have a real domain and email server but I'm redacting them here. When I trigger an audit event, the email is instead sent to root on the local machine. So far I've tried…

ubuntu postfix sendmail auditd

asked Jul 27 '23 at 21:54

J'e

vote

2 answers

What can you do when auditd halts the system?

I recently had an issue where my server powered off in the middle of running a script, seemingly randomly, but at about the same point each time, and then whenever I tried to power the server on again it would start the start up process and then…

security audit auditd halt

asked Apr 05 '23 at 11:32

Dave

vote

1 answer

Auditd - Don't log events from salt-minion

I'm updating our Auditd rules (Red Hat Linux) to log all tty/interactive commands from all users. That part works no problem. What I'm trying to do now is to exclude commands issued by our salt-master that are executed on one of our salt-minions. …

audit saltstack auditd

asked Mar 21 '23 at 19:32

Egyas

vote

1 answer

Find process that makes outbound HTTP calls, trying auditd with syslog-ng

Some of application (it's unknown) makes sporadic nonregular rare short outbound HTTP(S) requests to a known host/port/url (this is a WAF honeypot, host/url/port is known) using HTTPS protocol. Requests may occur once per 3-5 days. It's literally…

linux http syslog-ng auditd

asked Dec 02 '22 at 18:41

lospejos

Prev 1 2 3

…

10 11 Next