similar to: httpd writes much to /var? How to audit it properly?

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

Hi, I am using auditd to monitor files for changes (read and write actually). I found that when auditd is running, it will correctly report files that are read, but will not report changes to a file that is being monitored. But if I stop auditd and load audit rules using auditctl, it will work as expected. Here's the audit rule: -w /tmp/audit-test -p rw -k __monitored__ What am I missing

I''m trying to use environments and seem to be failing. Right now I have 4 defined environments: production, cat, development, beta They are defined as follows on my puppetmaster: cat /etc/puppet/puppet.conf [main] pluginsync = true vardir = /var/lib/puppet manifest = /etc/puppet/environments/production/site.pp modulepath = /etc/puppet/environments/production/modules [master] reports =

>I would also start by putting an audit rule on the binary. Something like this: >auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin >then you can get a report on who modified it and when by using: >ausearch -f /usr/sbin/asterisk >Its a start, but eventually you might need to monitor even keystrokes with pam_tty_audit.so to understand who is doing this:

Dear team The auditd log for NETFILTER_PKT event does not contain the src port , desination port , in and out interface . Has it been removed permanently ( https://patchwork.kernel.org/patch/9638183/) or can it be enabled by some configuration by auditctl ? centos version : CentOS Linux release 7.6.1810 (Core) out kernel version : Linux version 3.10.0-1127.8.2.el7.x86_64 (

I'm experimenting with tor hidden services and got it to work nicely on my Centos7, with tor from epel. That is, until I booted the machine. Then SELinux kicked in and in the logs there's? [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied The permissions are drwx------.??2 toranon toranon????4096 Jan 28 23:39 hidden_service And SELinux gives the following

FYI for those working with audit and intrusion detection on FreeBSD. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 17:01:04 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: current@FreeBSD.org Cc: trustedbsd-audit@TrustedBSD.org Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS This is a heads up to current@ users

I've got a fully updated Fedora Core 4 server crashing hard every week or two. I use Samba via smbmount and autofs to read & delete log files on 17 XP boxs and 6 NT4SP6 boxes as well as a couple other Windows files servers every 5 minutes. The first indication of a problem I get is smbmount stops working, then the server becomes unresponsive to the point where only a power slam will fix

A few weeks back Robert Watson announced the merge of these features from 7 back into 6-STABLE. I hadn't seen any updates and was curious as to the status. Us 6-STABLE users are curious to test it out. Thanks. --A

On Sat, January 24, 2015 11:27 am, Tim Dunphy wrote: > Hey guys, > > Unless you're using auditd (or a similar service) to watch the file, > no. You could probably use the logs and `last` to see who was logged > in at the time and make a guess. > > > > Also, you can look into shell history files (though that might be cleaned > by users). Admin is allowed to do

Hello -- I've done some searching but haven't come up with much yet, I was wondering if there was a way to track PID creation and what command was assigned to a PID? I am trying to track down a locking issue with NFS/NLM where the client PID that initiates the unlock request is not the same PID that initiates the lock request. Even with running "ps auxww" in a "while

So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes

So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes

Dear All, Over the past week or so, I have spent some time updating Tom Rhodes' excellent FreeBSD Handbook chapter on Audit for some of the more recent audit changes, such as new features in more recent OpenBSM versions. Since FreeBSD 6.2-BETA2 contains what is likely the final drop of the audit code (modulo any bug fixes) for 6.2-RELEASE, now would be a great time for people interested

Anyone know how to supress all the audit(1127753401.267:0): user pid=1449 uid=0 length=104 loginuid=4294967295 msg=''PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success) type logging? A real pita, I don''t have auditd installed or selinux, wouldn''t let me remove audit-libs and the deps lead me to some pam

Hi I according to libvirt.org Audit log guide ,I install auditd in my system(ubuntu 16.04.2), but when I operate guest running in host, I can't not find guest audit log in /var/log/audit/audit.log, audit_level=1. when I change audit_level=2, I restart libvirtd, libvirtd start failed. Thanks

Hi. The auditd logs are full of lines referencing 28756E6B6E6F776E207573657229 , but I can't identify this account type=USER_LOGIN msg=audit(1364926580.306:249814): user pid=22565 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed' What would typically cause this ?

FYI, since this is probably of interest to subscribers of this mailing list also. Robert N M Watson ---------- Forwarded message ---------- Date: Wed, 1 Feb 2006 22:55:40 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Julian Elischer <julian@elischer.org> Cc: trustedbsd-audit@TrustedBSD.org, K?vesd?n G?bor <gabor.kovesdan@t-hosting.hu>, current@freebsd.org

On Mon, 13 Jul 2015 02:19:23 +0000, Andrew Gideon wrote: > Look at tools like inotifywait, auditd, or kfsmd to see what's easily > available to you and what best fits your needs. > > [Though I'd also be surprised if nobody has fed audit information into > rsync before; your need doesn't seem all that unusual given ever-growing > disk storage.] I wanted to take this

hello all. My system is centos 5.x and there is no module related auditd there is no process(daemon) related auditd and selinux definately disabled. But I can see lots of auditd messages like below. Oct 20 02:01:01 linux kernel: type=1106 audit(1224435661.064:65210): user pid=25860 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,