Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

161 questions
0
votes
1 answer

Restart of auditd causes audispd reconfigure infinite loop

We restart some of our services on Debian jessie every night at 11:45 PM as part of logfile rotation. Among those services that we restart is the auditd service. We are sometimes seeing that audispd goes into an infinite-reconfigure loop when…
user35042
  • 2,681
  • 12
  • 34
  • 60
0
votes
1 answer

auditd cache activity filtering?

Can anyone suggest a strategy for filtering browser cache activity from auditable events in CentOS6. Apparently el7 has added capabilities for filtering on executables? But all of our workstation instances are still on 6. I have requirements that…
Mark M
  • 11
  • 3
0
votes
1 answer

How to stop syslog or auditd/ audisp from adding host information to forwarded log files?

I have forwarded the auditd log files to central log server but the log received at the central log server have extra information added to it which I dont want. Note (auditd and syslog are on same server where the auditd forwards auditd log event to…
sherpaurgen
  • 616
  • 6
  • 10
  • 26
0
votes
1 answer

Why does auditd only log `echo` when I use the absolute path?

Info Running auditd version 2.6.5 on Centos 7. My rules file contains: -a exit,always -F arch=b64 -F auid=0 -S execve -k root_action -a exit,always -F arch=b32 -F auid=0 -S execve -k root_action When I run which echo, I get…
Rickkwa
  • 103
  • 3
0
votes
0 answers

Is there anyway to log all system calls with DTrace?

I installed DTrace on Ubuntu by the following command: sudo apt-get install systemtap-sdt-dev Is there anyway to log all system calls with DTrace (it is possible by auditd but it crashes after 20 minutes)?
Iman
  • 103
  • 1
  • 3
0
votes
2 answers

How to prevent logging USER_AUTH and USER_LOGIN events with auditd

I am trying to log changes to a file system using auditd, but I am seeing also many other things being logged, for example all failed SSH logging attempts (USER_AUTH and USER_LOGIN events). How can I prevent them from being logged? When I do…
Mitar
  • 517
  • 4
  • 18
0
votes
1 answer

CentOS 7.3 audit2allow return "plural forms expression could be dangerous"

Hi I try to check audit2why or audit2allow but I get error: cat /var/log/audit/audit.log | audit2why plural forms expression could be dangerous I have just installed latest CentOS from repos, using netinstall ISO. Also during install, I have…
BiG_NoBoDy
  • 138
  • 1
  • 8
0
votes
1 answer

auditd not logging file actions properly

I have a Linux machine where I have configured an audit rule for monitoring any types of changes on a file. This is the rule I placed in /etc/audit/audit.rules file: -w /home/ec2-user/splunk-test/secret-file -p rwxa -k log_everything This file is…
serverstackqns
  • 764
  • 3
  • 16
  • 42
0
votes
0 answers

How do I get auditd to show me the folder/file name of something it's monitoring, when the changes are made via an smb client?

I'm using auditd to audit a folder, /shared, for read, write, attribute changes and deletions. I have installed auditd and configured the following rules: -a exit,always -S unlink -S rmdir -a exit,always -F path=/shared If I run a manual report…
CIA
  • 1,604
  • 2
  • 13
  • 32
0
votes
1 answer

Can aureport show filenames for read/write access reporting?

I installed auditd this evening in the hopes of using it to report on files written or appended to within a directory tree on my server. I have successfully configured rules using auditctl, but I cannot find any way to get the ausearch or aureport…
John Rix
  • 133
  • 6
0
votes
1 answer

Centos Audit.log is full of no relevant information

My audit.log file is full of information that i font need (and want to disable) A lot of log lines like: type=SYSCALL msg=audit(1467201475.671:36911834): arch=c000003e syscall=2 success=yes exit=49 a0=7f770ed9f318 a1=0 a2=0 a3=7f7712c00000 items=1…
abovebeyond15
  • 3
  • 1
  • 4
0
votes
1 answer

Restarting audit on El Capitan

I want to monitor process startup on El Capitan. Darwin MaeLucirdosiMac.home 15.5.0 Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36 PDT 2016; root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64 Below is my configuration. I have added the ,pc to line…
Justin Dearing
  • 1,037
  • 12
  • 33
0
votes
1 answer

How can I process auditd logs on the fly using ausearch?

I want to ship off logs into centralized logging (ELK). Because of the way things are, I need to do the processing on the machine that creates the logs. How can I get each new auditd event to automatically be processed by ausearch and written to…
devinov
  • 153
  • 1
  • 6
0
votes
1 answer

After change, puppet now runs as the "ubuntu" user, and auditd is freaking out

This is a very strange question and I don't even know how to Google for it, so I'm posting here to see if anyone has encountered this sort of situation before. I have multiple Ubuntu 14.04 systems running in AWS EC2. We have several VPCs dedicated…
JDS
  • 2,598
  • 4
  • 30
  • 49
0
votes
1 answer

pam_tty audit logs gives too much of not required information

We are using pam_tty to record all the commands that user types. We are interested in monitoring the user commands. In the audit.log, when we grep for USER_TTY, there is too much of logging that comes. Here is the attached log screenshoot :- In…
zealvora
  • 81
  • 2
  • 9
1 2 3
10 11