search for: auditctl

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

...same PID that initiates the lock request. Even with running "ps auxww" in a "while true" loop I cannot seem to capture the PID it comes/goes too fast. I can see the PID right after the one specified, but not the one I want. I tried a couple things I found for the audit system: auditctl -a entry,always -S fork -S vfork -S clone auditctl -a entry,always -S brk -F 'a0=0' auditctl -a task,always auditctl -a exit,always And none of them were able to detect the PID that was created. Another way to approach this is perhaps NLM debugging on the linux client side but I haven'...

...9 for sclass=49 Oct 26 09:30:15 poseidon kernel: Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): arch=40000003 syscall=102 success=ye s exit=16 a0=b a1=bfc8d790 a2=80510f8 a3=bfc93bb8 items=0 pid=18765 auid=4294967295 uid=0 gid=0 eu id=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): saddr=100000000000000000000000 Oct 26 09:30:15 poseidon kernel: audit(1130333415.900:21311): nargs=6 a0=3 a1=bfc91a1c a2=10 a3=0 a4=bfc93bb8 a5=c Oct 26 09:30:16 poseidon kernel: audit(1130333416.000:...

I've just encountered a problem starting tor. When I do 'systemctl start tor' it fails and I get selinux errors in the log. There was suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. Which I did and it gave the following type=PROCTITLE msg=audit(1539540150.692:60570): proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002D2 D64656661756C74732D746F727263002F7573722F73686172652F746F722F6465666175 6C74732D746F727263002D66002F6574632F746F72...

...]/Common::Syslog/Service[syslog]: Would have triggered ''refresh'' from 1 events --- /etc/audit/audit.rules 2011-05-27 08:29:07.000000000 -0500 +++ /tmp/puppet-file20110601-30205-h9qyn0-0 2011-06-01 13:27:44.471940710 -0500 @@ -12,4 +12,5 @@ # Feel free to add below this line. See auditctl man page --w /etc/syslog-ng/syslog-ng.conf \ No newline at end of file +-w /etc/syslog-ng/syslog-ng.conf +# beta notice: /Stage[main]/Common::Auditd/File[audit.rules]/content: current_value {md5}6a01ac645e8aed5a4f0f5c165815dc78, should be {md5} 197364e2ca6f10b9ec4d73168eabe7c6 (noop) info: /Stage[...

>I would also start by putting an audit rule on the binary. Something like this: >auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin >then you can get a report on who modified it and when by using: >ausearch -f /usr/sbin/asterisk >Its a start, but eventually you might need to monitor even keystrokes with pam_tty_audit.so to understand who is doing this: >http://poorlydo...

On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote: > I've just encountered a problem starting tor. When I do 'systemctl > start tor' it fails and I get selinux errors in the log. There was > suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. > Which I did and it gave the following > > type=PROCTITLE msg=audit(1539540150.692:60570): > proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002 > D2 > D64656661756C74732D746F727263002F7573722F73686172652F746F722F64656661 > 75 >...

Dear team The auditd log for NETFILTER_PKT event does not contain the src port , desination port , in and out interface . Has it been removed permanently ( https://patchwork.kernel.org/patch/9638183/) or can it be enabled by some configuration by auditctl ? centos version : CentOS Linux release 7.6.1810 (Core) out kernel version : Linux version 3.10.0-1127.8.2.el7.x86_64 ( mockbuild at kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) ) #1 SMP Tue May 12 16:57:42 UTC 2020 Thanks and regards Akshar

Hi, I am using auditd to monitor files for changes (read and write actually). I found that when auditd is running, it will correctly report files that are read, but will not report changes to a file that is being monitored. But if I stop auditd and load audit rules using auditctl, it will work as expected. Here's the audit rule: -w /tmp/audit-test -p rw -k __monitored__ What am I missing here? Thanks.

...ntOS release 6.3 (Final) >From time to time (it happenes on different machines) I have a very high load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd. I've used: auditctl -w /var -p warx And for example: ausearch -f /var -i -ts 04/29/2013 23:00:00 -te 04/29/2013 23:01:00 -ua 11111 | grep 'syscall=open' | wc -l gives me "5" but in my monitoring I see that there were up to 300 writes per second to /var at the same moment (id 11111 - httpd) (I have...

hello, I'm running apache 2.2.24 and php 5.2.17. The web site that it's service turns into a 403 Forbidden error every 5 minutes literally. I've found that doing a chmod -Rv 775 on the web root restores the site. However this is a band-aid and no real solution. I've combed through all the cron jobs in /var/spool/cron both on this machine and the one it was recently transferred

...ine with audit=0 > > # vi /etc/default/grub > GRUB_CMDLINE_LINUX=" [...] audit=0 [...]" IIUC, this is no longer needed with systemd 209 and above. I just did a quick test[1] with systemd-210-2.fc21.x86_64 3.14.0-0.rc4.git0.1.fc21.x86_64 and audit subsystem enabled: $ auditctl -s AUDIT_STATUS: enabled=1 flag=1 pid=816 rate_limit=0 backlog_limit=320 lost=0 backlog=0 I can at-least boot into my old systemd-nspawn container just fine. Yet to test with libvirt-lxc. [1] https://bugzilla.redhat.com/show_bug.cgi?id=966807#c14 -- /kashyap

Hi guys Thanks for the pointers - I'll look into the possible compromise scenario though I've got no idea how I'll counter it -if- I manage to detect it...! I've disabled prelinking (thanks Tony!) and I'll see if that helps. Interesting thing I've now discovered (had this failure again at the head office this morning) is the "growth" in the file's size is

...18 2:49 PM, Robin Lee wrote: > On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote: >> I've just encountered a problem starting tor. When I do 'systemctl >> start tor' it fails and I get selinux errors in the log. There was >> suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. >> Which I did and it gave the following >> >> type=PROCTITLE msg=audit(1539540150.692:60570): >> proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002 >> D2 >> D64656661756C74732D746F727263002F7573722F73686172652F746F722...

A few weeks back Robert Watson announced the merge of these features from 7 back into 6-STABLE. I hadn't seen any updates and was curious as to the status. Us 6-STABLE users are curious to test it out. Thanks. --A

Greetings, How does one monitor if a site is being accessed using browser? IOW, I just want to know if a user has launched a session thru Firefox. I basically want to know if a user has tried to access the webserver and unable to reach it and log such instances. I am using cron and curl to seperately monitor the link. Any clues? Centos 5.2/Gnome/Firefox 3.0.16 Regards Rajagopal

...confidence) suggests???********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. *****??Plugin catchall (9.59 confidence) suggests???************************** If you believe that tor should...

Hi! I with my colleagues from Samsung trying to run systemd in Linux container. I saw that the others are experimenting in this topic, so I would like to present the results of my work and tests, perhaps it will be helpful to others. As the prototype I used a manual written by Daniel: https://www.berrange.com/posts/2013/08/12/running-a-full-fedora-os-inside-a-libvirt-lxc-guest/ After many

...sm/man/audit.2 U src/contrib/openbsm/man/audit.log.5 U src/contrib/openbsm/man/audit_class.5 U src/contrib/openbsm/man/audit_control.5 U src/contrib/openbsm/man/audit_event.5 U src/contrib/openbsm/man/audit_user.5 U src/contrib/openbsm/man/audit_warn.5 U src/contrib/openbsm/man/auditctl.2 U src/contrib/openbsm/man/auditon.2 U src/contrib/openbsm/man/getaudit.2 U src/contrib/openbsm/man/getauid.2 U src/contrib/openbsm/man/setaudit.2 U src/contrib/openbsm/man/setauid.2 N src/contrib/openbsm/modules/Makefile.am N src/contrib/openbsm/modules/Makefile.in N src/c...