Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
1
vote
1 answer

How can one identify what changes the SELinux file context of a file?

I'm noticing some files within a web directory with changed file contexts that deviates from system policy. There are developers that run git pull against at a higher part of the web directory and I'm wondering if that could be the cause, but my…
TopherIsSwell
  • 151
  • 6
0
votes
1 answer

Auditing user activity when using SSH Certificates

I have been reading a lot lately on SSH Certificates and i love the advantages it brings. Before investing time in building my own POC, i wanted to know how (if at all) would it be possible to audit user activity when using SSH Certificates. Per my…
cybervedaa
  • 161
  • 1
  • 1
  • 5
0
votes
1 answer

Logging changes to file change/modify attributes

System is Centos8 I need to determine what process is touching a file without making any changes in content. I've tried auditctl but it does not seem to have a filesystem watch that can track these attributes. sudo auditctl -w /boot/grub2/grubenv…
Ex Umbris
  • 854
  • 7
  • 24
0
votes
2 answers

Disable cron messages in auditd

I can't seem to find a way to filter cron messages from auditd, no matter what rules I have in place. I'm using Ubuntu 18.04.3 LTS. For example, even if my /etc/audit/audit.rules contains no rules: -D -b 8192 -f 1 --backlog_wait_time…
1nsane
  • 123
  • 1
  • 1
  • 6
0
votes
1 answer

How to configure auditd to collect logs from /proc kernel file directory

I've been looking for this for about 3 days now and have come up empty-handed. I am looking for a way to build a threat alert for Linux-based credential dumping in Splunk. To do this I need to be able to monitor the /proc directory. I found audit…
Geordeaux
  • 1
0
votes
1 answer

Connections shows up in tcpdump but cannot not in auditd or ss

I ran tcpdump on a node which I can see many outbound TCP connections to a specific host (inside my network) on a specific port (8086). I'd like to know which process is making those connections. I used: while true; do ss -ntap '{ dport :8086 }';…
kjq07bd
  • 15
  • 5
0
votes
1 answer

Debugging how symbolic link is getting broken in ubuntu?

I have a symbolic link of the form ubuntu@platform1:~$ ls -lrt total 28 drwxr-xr-x 4 ubuntu ubuntu 4096 Mar 2 15:02 deploy lrwxrwxrwx 1 ubuntu ubuntu 14 May 25 18:27 logs -> /var/log/arkin Disk layout ubuntu@platform1:~$ df -h Filesystem …
tuk
  • 333
  • 5
  • 18
0
votes
1 answer

Auditd Log all executions except some scripts

I configured my auditd to log all execve syscalls using these rules: -a exit,always -F arch=b32 -S execve -a exit,always -F arch=b64 -S execve While this perfectly captures all activity of any user on the system, obviously there is a lot of noise…
KlausB
  • 3
  • 2
0
votes
1 answer

How can `auditd` log in `/var/log/audit/audit.log` even `auditctl -l` is empty?

My server is centos7.6 [root@localhost /]# auditctl -l No rules [root@localhost /]# cat /var/log/audit/audit.log type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix…
kittygirl
  • 945
  • 5
  • 13
  • 33
0
votes
0 answers

Trying to enable auditd but svcadm not in solaris 10

I am new to Solaris. environment: Solaris 10/ i386 Here's my problem: I want to enable auditd to start generating system auditing log file. (Like service aduitd start in CentOS.) And every guide I found is saying that it can be enabled by…
Kenting
  • 1
  • 1
0
votes
1 answer

auditlog filling up without any rules

I have set up certain audit rules however audit log is filling up with unnecessary events which I don't want to log. is there any way that auditd will log only defined rule-based logs. OS: -Rhel 7.3
Mohit Singhal
  • 1
0
votes
1 answer

Using auditd and retaining log files for 6 months.

Disclaimer: I'm not an accredited nor very experienced sysadmin but have been tasked with some sysadmin responsibilities Task: Find a way to log all account management activities (e.g., account creation, modification, deletion, etc.) on an Ubuntu…
repr0
  • 1
  • 1
  • 2
0
votes
1 answer

ausearch to filter audit logs to show only read, write , attribute changes in file

I want to filter audit logs for changes made to /etc/hosts file using ausearch (audit). I can see multiple entries for single modify action for file in ausearch like syscall=chmod, syscall=open etc. Please help me to understand exact filter…
Suraj Bora
  • 3
  • 3
0
votes
0 answers

How to view audit logs on the server

I'm trying to do a nfs share. I've configured the share. Now I want to view the logs associated with the files in the nfs share. I've created a centralized log server. I don't know the difference between centralized rsyslog and centralized audit…
Lublaut
  • 123
  • 1
  • 9
0
votes
1 answer

How to configure auditd to record all the activity from events which run with WinSCP

I have a requirement from a customer (I have no idea if it can be implemented, after days of searching). This is the request: "The auditlog rules should be extended for events (create, delete, update, change, rename) independent from a user. I hope…
Sissi_00_20
  • 3
  • 1
  • 5
1 2 3
10 11