similar to: how to disable lots of auditd messages?

Greetings: i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end: config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting

Hello, I was just looking into parsing some various logs to get notified when my application is not behaving correctly. Logcheck seems like the right tool but then I also notice auditd which is another log monitoring/reporting tool. Can someone explain if these two tools serve similar purposes or do they each have a different purpose? I've done a bit of reading but figure someone here

Hello, all. I would like to use ntpd for time sync not rdate or ntpdate. but after installation the ntpd, I found that listened at all interfaces like below. udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd udp 0 0

Hi, I am using auditd to monitor files for changes (read and write actually). I found that when auditd is running, it will correctly report files that are read, but will not report changes to a file that is being monitored. But if I stop auditd and load audit rules using auditctl, it will work as expected. Here's the audit rule: -w /tmp/audit-test -p rw -k __monitored__ What am I missing

Hello, all. I know the function of the swap and can make swap partion or file. But, if there is no swap partion at system, what would be happen? that makes the system unstable or not? I have one system that has no swap, but there was no problem until now. Thanks in advance. _________________________________________________________________ ???? ????! ??? ??? ???? ????! ???

I''m trying to use environments and seem to be failing. Right now I have 4 defined environments: production, cat, development, beta They are defined as follows on my puppetmaster: cat /etc/puppet/puppet.conf [main] pluginsync = true vardir = /var/lib/puppet manifest = /etc/puppet/environments/production/site.pp modulepath = /etc/puppet/environments/production/modules [master] reports =

Hello everyone, I have this box where auditd is logging every command typed on the system onto: /var/log/audit/audit.log Every line looks like: type=USER_TTY msg=audit msg=audit(124433....<snip> msg="command here" ... The strange thing is that I have other similar boxes and I don't see this behavior. I don't see any option in /etc/audit/* or any PAM module triggering

Hi all, I need to do some tests about auditd funcionalities on two CentOS5.5 hosts. I need to audit when user executes sudo command, when system files are modified, when some process call to some system calls, when kernel semaphores are modified, etc. I see some examples on /usr/shae/doc/audit-x.x.x, but I will know if someone has more complet audit.rules. Can somebody share some

Dear team The auditd log for NETFILTER_PKT event does not contain the src port , desination port , in and out interface . Has it been removed permanently ( https://patchwork.kernel.org/patch/9638183/) or can it be enabled by some configuration by auditctl ? centos version : CentOS Linux release 7.6.1810 (Core) out kernel version : Linux version 3.10.0-1127.8.2.el7.x86_64 (

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth at 5-cent.us wrote: > I really am going crazy, trying to deal with the hourly logs from the > loghost. We've got 170+ servers and workstations... but a *very* large > percentage of what's showing up is from his bloody new fedora 22, with its > idiot systemd logging of *ever* selinux message to /var/log/messages. systemctl enable

Hey folks, Here at USC we have a few changes we make to the source code for various reasons -- and we have to make them for each new version. I always shrugged off sending a patch in because the changes felt very internal, but the more I think about it, the more I think perhaps they would be good for the main tree. Additionally, the more of this that gets into the main tree the easier upgrades

Hi all, Recently one my Centos 5.7 VM just crashes at least once a day randomly (hang). In /var/log/messages there is nothing at all that there is problem (no error, no failure). The log just stops. The only change I did before this crashes is I activated LDAP authentication, and also auditd. But I don't see any evidence relating to it. Any clue where to look for the cause? Thank you.

Hello, all. My systems are centos 4.x or 5.x(i386 and x86_64) and various services(apache, mysql, java, sendmail... etc..). and I would like to set auto update using yum. But some staffs didn't agree my auto update plan, because some services can be effected by auto update. There were no side effects just yum updating until now, and it seems impossible for me to check

Hello, all. I want to ask some about ntpd. I set 'server' directive like below at ntp.conf server 0.centos.pool.ntp.org For example, I can see the ntpq result like below. remote refid st t when poll reach delay offset jitter ============================================================================== * 10.10.23.44 211.115.xx.xx 3 u 62 64

On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote: > On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote: >> Is there any way to find out the last user to access a file on a CentOS >> 6.5 system? > > Unless you're using auditd (or a similar service) to watch the file, > no. You could probably use the logs and `last` to see who was logged > in at the

Two issues: first, I've noticed a number of times that selinux is there, which we usually have in permissive, but setroubleshoot is *not* installed. Is there be some kind of dependency or group that it should be part of that's missing? I don't see why I need to manually install it.... Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log

The recently-left programmer did *something*, and he didn't know what, and the guy who picked it up is working with me to find out why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open

Hello, I'm trying to configure a daemon (I'm doing tests with "crond" daemon) to send me an email after daemon restart. My "crond.service" file is: # /etc/systemd/system/crond.service [Unit] Description=Command Scheduler After=auditd.service systemd-user-sessions.service time-sync.target #OnFailure=crond-notify-email@%i.service [Service]

Hi, today I updated the glibc packages on some CentOS machines. After the Update I checked which services/processes I have to restart "yum -C ps" or "needs-restarting" At the most machines I get no information about necessary restarts, but at two machines a long listing : 1 : /sbin/init 386 : /sbin/udevd-d 659 : /sbin/udevd-d 999 : /usr/sbin/vmtoolsd 1103 : auditd 1128 :