Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
1
vote
0 answers

Linux Auditd monitoring of file operations in mounted folder

I have multi node kubernetes cluster and I would like to monitor file operations that are made by containers in mounted persistent volume. I found the all PV data are located at nodes in…
lukas.hubl
  • 11
  • 1
1
vote
0 answers

auditd - dir cannot be used with exclude filter?

I have a problem with auditd rules. I'd like to audit /opt/zimbra/mailboxd/webapps/ dir but without: zimbraAdmin/WEB-INF/,zimlet/WEB-INF/ and zimbra/WEB-INF/ subfolders. cat /etc/audit/audit.rules: ## This file is automatically generated from…
XorOrNor
  • 241
  • 1
  • 3
  • 8
1
vote
0 answers

auditd killing a server?

In /var/log/kernellog we can see many entries for audit (since we have "space_left_action = SYSLOG" and "write_logs = no"): ... audit: audit_backlog=32769 > audit_backlog_limit=32768 audit: audit_lost=1 audit_rate_limit=0…
jim7475
  • 51
  • 2
1
vote
0 answers

stop kernel audit messages logged in syslog without disabling auditing

OS: CentOS 7 I am trying to figure out how audit (kaudit) events are logged in /var/log/messages. I have enabled audit=1 in grub which means when the server boots, kernel auditing is enabled. This is the desired state for the particular system and…
giomanda
  • 1,754
  • 4
  • 21
  • 30
1
vote
1 answer

Auditd not sending logs to centralized auditd log server

We have set up centralized logging of auditd messages for two machines: machine (www22.domain.com) is the source (centos8) machine (cls.domain.com) is the centralized log server (centos7) This was done in the standard way using auditd+audisp…
Ján Lalinský
  • 282
  • 1
  • 11
1
vote
1 answer

Log execve's, along with parent process argv?

I'm trying to figure out if I can decomission an old server. I need the information about automated processes running there. So far I tried the following: auditctl -a exit,always -F arch=b64 -S execve -k any-commands At log analysis stage, I…
d33tah
  • 321
  • 5
  • 15
1
vote
0 answers

selinux - why can't stuff_u with sysadm_r run postsuper?

I am trying to understand how selinux confined users really work, but there are a few behaviours that I still can not understand. According to redhat SELinux User Capabilities stuff_u users should be able to run sudo, but not su. So I have created…
Jose
  • 21
  • 1
  • 2
1
vote
0 answers

Monitoring IPv6 connection via auditd

some time i was interested in monitoring TCP/UDP connections with detailed information about process that initiated connection I'have found helpful article about that - Finding short-lived TCP connections owner process so i'have executed: auditctl…
Bormental
  • 11
  • 1
1
vote
2 answers

Issue with running Linux Audit System in a nested Virtual Machine inside Google Cloud Engine

I am trying to run the Linux audit system in a nested Virtual machine on the google cloud engine. The problem I am facing is that the Linux Audit System suspends after showing the following error after a few minutes when I view the auditd…
1
vote
0 answers

CentOS USER_CMD logs auditd

We are trying to start logging all executed commands by users (including root) on CentOS using auditd with type=USER_CMD, how we can do it? We already getting commands, starting with sudo, but not others. Auditd setting, which allow us to login sudo…
1
vote
0 answers

Tracking TCP Connection in background

I am looking for a daemon utility to track all non local TCP connections and which binaries establish the TCP connections (actively and passively) with which IPs and ports. auditd seems like a great tool. Following this post, I notice that the…
HCSF
  • 245
  • 3
  • 14
1
vote
0 answers

Filtering auditd log entries by msg content

I want to filter out this messages. They are generated by the user crontabs running every minute: type=USER_END msg=audit(1611873842.675:459608): pid=19114 uid=0 auid=10061 ses=480462 subj==unconfined msg='op=PAM:session_close acct="web59"…
Pyloor
  • 11
  • 2
1
vote
0 answers

Auditd to CloudwatchLogs to IDS alerts?

I'm administering a relatively simple AWS stack with about 5 heterogeneous Linux EC2 instances. All instances already have been setup to ship important logs to Cloudwatch Logs. Now I want to setup a basic HIDS for this system covering all nodes.…
spinkus
  • 188
  • 2
  • 16
1
vote
1 answer

RHEL: Splitting auditd logs into multiple files for different rules

We have an audit.rules defined and things in rules.d. Many of these are for RHEL CIS compliance and others are more specific for Docker CIS compliance. One problem we are having is that certain rules (i.e. docker file system rules) account for TBs…
JD D
  • 151
  • 5
1
vote
1 answer

Auditd not sending to remote central server

I'm setting up a central server using rsyslog and auditd on CentOS 8. I was following this guide on how to send remote audit logs to my central server. Note: instead of going to /etc/audisp/, these files can be found on /etc/audit/ instead. So I…
Gwynn
  • 13
  • 6