Displaying 19 results from an estimated 19 matches for "auditctl".
2007 Sep 03
1
Linux User Auditing
Is it possible to audit the Linux User Shell? I am trying to gather what
commands a user is running no our systems.
Can auditd handle this?
TIA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>
2009 Feb 10
0
process accounting - track PIDs
...same PID that initiates the lock request. Even with
running "ps auxww" in a "while true" loop I cannot seem
to capture the PID it comes/goes too fast. I can see the
PID right after the one specified, but not the one I
want.
I tried a couple things I found for the audit system:
auditctl -a entry,always -S fork -S vfork -S clone
auditctl -a entry,always -S brk -F 'a0=0'
auditctl -a task,always
auditctl -a exit,always
And none of them were able to detect the PID that was created.
Another way to approach this is perhaps NLM debugging
on the linux client side but I haven'...
2005 Nov 28
1
Is samba or a kernel bug causing my FC4 server to crash?
...9 for sclass=49
Oct 26 09:30:15 poseidon kernel:
Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): arch=40000003 syscall=102 success=ye
s exit=16 a0=b a1=bfc8d790 a2=80510f8 a3=bfc93bb8 items=0 pid=18765 auid=4294967295 uid=0 gid=0 eu
id=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): saddr=100000000000000000000000
Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): nargs=6 a0=3 a1=bfc91a1c a2=10 a3=0
a4=bfc93bb8 a5=c
Oct 26 09:30:16 poseidon kernel: audit(1130333416.000:...
2018 Oct 14
3
Centos7 & Selinux & Tor
I've just encountered a problem starting tor. When I do 'systemctl
start tor' it fails and I get selinux errors in the log. There was
suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'.
Which I did and it gave the following
type=PROCTITLE msg=audit(1539540150.692:60570):
proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002D2
D64656661756C74732D746F727263002F7573722F73686172652F746F722F6465666175
6C74732D746F727263002D66002F6574632F746F72...
2011 Jun 01
3
puppet and environments ... need help
...]/Common::Syslog/Service[syslog]: Would have
triggered ''refresh'' from 1 events
--- /etc/audit/audit.rules 2011-05-27 08:29:07.000000000 -0500
+++ /tmp/puppet-file20110601-30205-h9qyn0-0 2011-06-01
13:27:44.471940710 -0500
@@ -12,4 +12,5 @@
# Feel free to add below this line. See auditctl man page
--w /etc/syslog-ng/syslog-ng.conf
\ No newline at end of file
+-w /etc/syslog-ng/syslog-ng.conf
+# beta
notice: /Stage[main]/Common::Auditd/File[audit.rules]/content:
current_value {md5}6a01ac645e8aed5a4f0f5c165815dc78, should be {md5}
197364e2ca6f10b9ec4d73168eabe7c6 (noop)
info: /Stage[...
2015 Jan 09
1
Asterisk executable suddenly about 40KB larger - modules (Andres)
>I would also start by putting an audit rule on the binary. Something like
this:
>auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin
>then you can get a report on who modified it and when by using:
>ausearch -f /usr/sbin/asterisk
>Its a start, but eventually you might need to monitor even keystrokes with
pam_tty_audit.so to understand who is doing this:
>http://poorlydo...
2018 Oct 23
0
Centos7 & Selinux & Tor
On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
> I've just encountered a problem starting tor. When I do 'systemctl
> start tor' it fails and I get selinux errors in the log. There was
> suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'.
> Which I did and it gave the following
>
> type=PROCTITLE msg=audit(1539540150.692:60570):
> proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002
> D2
> D64656661756C74732D746F727263002F7573722F73686172652F746F722F64656661
> 75
>...
2020 Sep 14
0
Auditd NETFILTER_PKT record missing src port, dst port
Dear team
The auditd log for NETFILTER_PKT event does not contain the src port ,
desination port , in and out interface .
Has it been removed permanently (
https://patchwork.kernel.org/patch/9638183/)
or can it be enabled by some configuration by auditctl ?
centos version : CentOS Linux release 7.6.1810 (Core)
out kernel version : Linux version 3.10.0-1127.8.2.el7.x86_64 (
mockbuild at kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat
4.8.5-39) (GCC) ) #1 SMP Tue May 12 16:57:42 UTC 2020
Thanks and regards
Akshar
2010 Apr 02
0
Watching a file using auditd
Hi,
I am using auditd to monitor files for changes (read and write actually).
I found that when auditd is running, it will correctly report files that are read, but will not report changes to a file that is being monitored.
But if I stop auditd and load audit rules using auditctl, it will work as expected.
Here's the audit rule:
-w /tmp/audit-test -p rw -k __monitored__
What am I missing here? Thanks.
2013 Apr 30
0
httpd writes much to /var? How to audit it properly?
...ntOS release 6.3 (Final)
>From time to time (it happenes on different machines) I have a very high
load up to 100, and I see that there are up to 300/s writes to /var at the
same time. Apache restart solves the problem. I would like to know the
reason so I decided to use auditd.
I've used:
auditctl -w /var -p warx
And for example:
ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 -ua
11111 | grep 'syscall=open' | wc -l
gives me "5" but in my monitoring I see that there were up to 300 writes
per second to /var at the same moment (id 11111 - httpd) (I have...
2014 May 29
1
files automatically changing permissionssdsds
hello,
I'm running apache 2.2.24 and php 5.2.17. The web site that it's service
turns into a 403 Forbidden error every 5 minutes literally. I've found that
doing a chmod -Rv 775 on the web root restores the site. However this is a
band-aid and no real solution.
I've combed through all the cron jobs in /var/spool/cron both on this
machine and the one it was recently transferred
2014 Feb 27
0
Re: [libvirt] LXC, user namespaces and systemd
...ine with audit=0
>
> # vi /etc/default/grub
> GRUB_CMDLINE_LINUX=" [...] audit=0 [...]"
IIUC, this is no longer needed with systemd 209 and above. I just did a
quick test[1] with
systemd-210-2.fc21.x86_64
3.14.0-0.rc4.git0.1.fc21.x86_64
and audit subsystem enabled:
$ auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=816 rate_limit=0 backlog_limit=320 lost=0 backlog=0
I can at-least boot into my old systemd-nspawn container just fine. Yet
to test with libvirt-lxc.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=966807#c14
--
/kashyap
2015 Jan 08
1
Asterisk executable suddenly about 40KB larger - modules
Hi guys
Thanks for the pointers - I'll look into the possible compromise scenario
though I've got no idea how I'll counter it -if- I manage to detect it...!
I've disabled prelinking (thanks Tony!) and I'll see if that helps.
Interesting thing I've now discovered (had this failure again at the head
office this morning) is the "growth" in the file's size is
2018 Oct 23
1
Centos7 & Selinux & Tor
...18 2:49 PM, Robin Lee wrote:
> On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote:
>> I've just encountered a problem starting tor. When I do 'systemctl
>> start tor' it fails and I get selinux errors in the log. There was
>> suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'.
>> Which I did and it gave the following
>>
>> type=PROCTITLE msg=audit(1539540150.692:60570):
>> proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002
>> D2
>> D64656661756C74732D746F727263002F7573722F73686172652F746F722...
2006 Sep 20
2
Status of MFC security event audit support in RELENG_6?
A few weeks back Robert Watson announced the merge of these features from 7
back into 6-STABLE. I hadn't seen any updates and was curious as to the
status. Us 6-STABLE users are curious to test it out.
Thanks.
--A
2010 Jan 29
4
Browser related question
Greetings,
How does one monitor if a site is being accessed using browser?
IOW, I just want to know if a user has launched a session thru Firefox.
I basically want to know if a user has tried to access the webserver
and unable to reach it and log such instances.
I am using cron and curl to seperately monitor the link.
Any clues?
Centos 5.2/Gnome/Firefox 3.0.16
Regards
Rajagopal
2017 Jan 29
2
tor and selinux
...confidence)
suggests???**********************
If you want to help identify if domain needs this access or you have a
file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending
file and generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
*****??Plugin catchall (9.59 confidence)
suggests???**************************
If you believe that tor should...
2014 Feb 26
6
[libvirt] LXC, user namespaces and systemd
Hi!
I with my colleagues from Samsung trying to run systemd in Linux
container. I saw that the others are experimenting in this topic,
so I would like to present the results of my work and tests, perhaps it
will be helpful to others.
As the prototype I used a manual written by Daniel:
https://www.berrange.com/posts/2013/08/12/running-a-full-fedora-os-inside-a-libvirt-lxc-guest/
After many
2006 Jun 05
0
Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS (fwd)
...sm/man/audit.2
U src/contrib/openbsm/man/audit.log.5
U src/contrib/openbsm/man/audit_class.5
U src/contrib/openbsm/man/audit_control.5
U src/contrib/openbsm/man/audit_event.5
U src/contrib/openbsm/man/audit_user.5
U src/contrib/openbsm/man/audit_warn.5
U src/contrib/openbsm/man/auditctl.2
U src/contrib/openbsm/man/auditon.2
U src/contrib/openbsm/man/getaudit.2
U src/contrib/openbsm/man/getauid.2
U src/contrib/openbsm/man/setaudit.2
U src/contrib/openbsm/man/setauid.2
N src/contrib/openbsm/modules/Makefile.am
N src/contrib/openbsm/modules/Makefile.in
N src/c...