similar to: Watching a file using auditd

I''m trying to use environments and seem to be failing. Right now I have 4 defined environments: production, cat, development, beta They are defined as follows on my puppetmaster: cat /etc/puppet/puppet.conf [main] pluginsync = true vardir = /var/lib/puppet manifest = /etc/puppet/environments/production/site.pp modulepath = /etc/puppet/environments/production/modules [master] reports =

Greetings: i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end: config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting

Dear team The auditd log for NETFILTER_PKT event does not contain the src port , desination port , in and out interface . Has it been removed permanently ( https://patchwork.kernel.org/patch/9638183/) or can it be enabled by some configuration by auditctl ? centos version : CentOS Linux release 7.6.1810 (Core) out kernel version : Linux version 3.10.0-1127.8.2.el7.x86_64 (

hello all. My system is centos 5.x and there is no module related auditd there is no process(daemon) related auditd and selinux definately disabled. But I can see lots of auditd messages like below. Oct 20 02:01:01 linux kernel: type=1106 audit(1224435661.064:65210): user pid=25860 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,

FYI for those working with audit and intrusion detection on FreeBSD. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 17:01:04 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: current@FreeBSD.org Cc: trustedbsd-audit@TrustedBSD.org Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS This is a heads up to current@ users

Hello everyone, I have this box where auditd is logging every command typed on the system onto: /var/log/audit/audit.log Every line looks like: type=USER_TTY msg=audit msg=audit(124433....<snip> msg="command here" ... The strange thing is that I have other similar boxes and I don't see this behavior. I don't see any option in /etc/audit/* or any PAM module triggering

Hi All. I currently use: Apache/2.2.21 on: 2.6.32-279.9.1.el6.centos.plus.x86_64 CentOS release 6.3 (Final) >From time to time (it happenes on different machines) I have a very high load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd. I've used: auditctl -w /var

Hi all, I need to do some tests about auditd funcionalities on two CentOS5.5 hosts. I need to audit when user executes sudo command, when system files are modified, when some process call to some system calls, when kernel semaphores are modified, etc. I see some examples on /usr/shae/doc/audit-x.x.x, but I will know if someone has more complet audit.rules. Can somebody share some

I've got a fully updated Fedora Core 4 server crashing hard every week or two. I use Samba via smbmount and autofs to read & delete log files on 17 XP boxs and 6 NT4SP6 boxes as well as a couple other Windows files servers every 5 minutes. The first indication of a problem I get is smbmount stops working, then the server becomes unresponsive to the point where only a power slam will fix

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

Hello -- I've done some searching but haven't come up with much yet, I was wondering if there was a way to track PID creation and what command was assigned to a PID? I am trying to track down a locking issue with NFS/NLM where the client PID that initiates the unlock request is not the same PID that initiates the lock request. Even with running "ps auxww" in a "while

Jonathan Billings wrote: > On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth at 5-cent.us wrote: >> I really am going crazy, trying to deal with the hourly logs from the >> loghost. We've got 170+ servers and workstations... but a *very* large >> percentage of what's showing up is from his bloody new fedora 22, with >> its >> idiot systemd logging of *ever*

I've noticed my disk space filling up rapidy on my mail server, I noticed that /var/log/audit.d is using 2.1 G. Is it safe to remove those log files?

On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth at 5-cent.us wrote: > I really am going crazy, trying to deal with the hourly logs from the > loghost. We've got 170+ servers and workstations... but a *very* large > percentage of what's showing up is from his bloody new fedora 22, with its > idiot systemd logging of *ever* selinux message to /var/log/messages. systemctl enable

Hi, please add the following rule to the logcheck database: For package/daemon auditd: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ auditd\[[[:digit:]]+\]: Audit daemon rotating log files$ Log line as system event: May 31 11:41:11 localhost auditd[2594]: Audit daemon rotating log files Regards Till

I've just encountered a problem starting tor. When I do 'systemctl start tor' it fails and I get selinux errors in the log. There was suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. Which I did and it gave the following type=PROCTITLE msg=audit(1539540150.692:60570): proctitle=2F7573722F62696E2F746F72002D2D72756E61736461656D6F6E0030002D2

>I would also start by putting an audit rule on the binary. Something like this: >auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin >then you can get a report on who modified it and when by using: >ausearch -f /usr/sbin/asterisk >Its a start, but eventually you might need to monitor even keystrokes with pam_tty_audit.so to understand who is doing this:

Hello, I was just looking into parsing some various logs to get notified when my application is not behaving correctly. Logcheck seems like the right tool but then I also notice auditd which is another log monitoring/reporting tool. Can someone explain if these two tools serve similar purposes or do they each have a different purpose? I've done a bit of reading but figure someone here

On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote: > I've just encountered a problem starting tor. When I do 'systemctl > start tor' it fails and I get selinux errors in the log. There was > suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. > Which I did and it gave the following > > type=PROCTITLE msg=audit(1539540150.692:60570): >

On 10/23/18 2:49 PM, Robin Lee wrote: > On Sun, 2018-10-14 at 20:13 +0200, Robin Lee wrote: >> I've just encountered a problem starting tor. When I do 'systemctl >> start tor' it fails and I get selinux errors in the log. There was >> suggestion to do full auditing with 'auditctl -w /etc/shadow -p w'. >> Which I did and it gave the following >>