similar to: Auditd fails to start : Connection refused

hello all. My system is centos 5.x and there is no module related auditd there is no process(daemon) related auditd and selinux definately disabled. But I can see lots of auditd messages like below. Oct 20 02:01:01 linux kernel: type=1106 audit(1224435661.064:65210): user pid=25860 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,

Hi, I am using auditd to monitor files for changes (read and write actually). I found that when auditd is running, it will correctly report files that are read, but will not report changes to a file that is being monitored. But if I stop auditd and load audit rules using auditctl, it will work as expected. Here's the audit rule: -w /tmp/audit-test -p rw -k __monitored__ What am I missing

Hello, I was just looking into parsing some various logs to get notified when my application is not behaving correctly. Logcheck seems like the right tool but then I also notice auditd which is another log monitoring/reporting tool. Can someone explain if these two tools serve similar purposes or do they each have a different purpose? I've done a bit of reading but figure someone here

Hello everyone, I have this box where auditd is logging every command typed on the system onto: /var/log/audit/audit.log Every line looks like: type=USER_TTY msg=audit msg=audit(124433....<snip> msg="command here" ... The strange thing is that I have other similar boxes and I don't see this behavior. I don't see any option in /etc/audit/* or any PAM module triggering

Hi all, I need to do some tests about auditd funcionalities on two CentOS5.5 hosts. I need to audit when user executes sudo command, when system files are modified, when some process call to some system calls, when kernel semaphores are modified, etc. I see some examples on /usr/shae/doc/audit-x.x.x, but I will know if someone has more complet audit.rules. Can somebody share some

Dear team The auditd log for NETFILTER_PKT event does not contain the src port , desination port , in and out interface . Has it been removed permanently ( https://patchwork.kernel.org/patch/9638183/) or can it be enabled by some configuration by auditctl ? centos version : CentOS Linux release 7.6.1810 (Core) out kernel version : Linux version 3.10.0-1127.8.2.el7.x86_64 (

is there a repository of build symbols for the various packages i have installed on my CentOS 5 server? here's a use case - i'm developing an apache/httpd plugin module - it's not loading properly - i want to run apache in single-process mode (httpd -X), attach gdb to it, set a break point just before my module is loaded, and step through the code to find out why my module is

Hey folks, About a year ago it was pointed out to me there was BSM support in CVS that would hopefully make it into a release soon. I had a look over it and it looks like it covers everything (it certainly covers more than the 3 or 4 things we do here at USC). So I'm wondering what the status of that is? Is it planned for a release soon? Are there issues with it? This is a really big feature

I've noticed my disk space filling up rapidy on my mail server, I noticed that /var/log/audit.d is using 2.1 G. Is it safe to remove those log files?

Hey folks, Here at USC we have a few changes we make to the source code for various reasons -- and we have to make them for each new version. I always shrugged off sending a patch in because the changes felt very internal, but the more I think about it, the more I think perhaps they would be good for the main tree. Additionally, the more of this that gets into the main tree the easier upgrades

FYI for those working with audit and intrusion detection on FreeBSD. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 17:01:04 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: current@FreeBSD.org Cc: trustedbsd-audit@TrustedBSD.org Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS This is a heads up to current@ users

Hi All. I currently use: Apache/2.2.21 on: 2.6.32-279.9.1.el6.centos.plus.x86_64 CentOS release 6.3 (Final) >From time to time (it happenes on different machines) I have a very high load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd. I've used: auditctl -w /var

Jonathan Billings wrote: > On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth at 5-cent.us wrote: >> I really am going crazy, trying to deal with the hourly logs from the >> loghost. We've got 170+ servers and workstations... but a *very* large >> percentage of what's showing up is from his bloody new fedora 22, with >> its >> idiot systemd logging of *ever*

I''m trying to use environments and seem to be failing. Right now I have 4 defined environments: production, cat, development, beta They are defined as follows on my puppetmaster: cat /etc/puppet/puppet.conf [main] pluginsync = true vardir = /var/lib/puppet manifest = /etc/puppet/environments/production/site.pp modulepath = /etc/puppet/environments/production/modules [master] reports =

Hi all, This is small code from typo 2.6.0''s "articles_helper.rb" file ================================ def author_link(article) if config[''link_to_author''] and article.user and article.user.email.to_s.size>0 "<a href=\"mailto:#{article.user.email}\">#{article.user.name}</a>" elsif article.user and

On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth at 5-cent.us wrote: > I really am going crazy, trying to deal with the hourly logs from the > loghost. We've got 170+ servers and workstations... but a *very* large > percentage of what's showing up is from his bloody new fedora 22, with its > idiot systemd logging of *ever* selinux message to /var/log/messages. systemctl enable

Hi, please add the following rule to the logcheck database: For package/daemon auditd: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$ Log line as system event: May 31 11:41:11 localhost auditd[2594]: Audit daemon rotating log files Regards Till

Hey guys, Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess. Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident. One more thing: if "access" constitutes execution of that

i have a CentOS 5.1 server running sshd (exposed to the outside world). i'd like to use iptables to fool nmap into thinking i'm running another O/S. e.g.: iptables -t mangle -A PREROUTING -d 192.168.0.64 -j PERS \ --tweak dst --local --conf /etc/personalities/macos9.conf iptables -t mangle -A OUTPUT -d 192.168.0.64 -j PERS \ --tweak src --local --conf

https://bugs.freedesktop.org/show_bug.cgi?id=93968 Bug ID: 93968 Summary: BUG in nouveau_fbcon_sync() Product: xorg Version: unspecified Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: Driver/nouveau Assignee: nouveau at