similar to: FC4 xen guest question audit blah looging

Hi All. I currently use: Apache/2.2.21 on: 2.6.32-279.9.1.el6.centos.plus.x86_64 CentOS release 6.3 (Final) >From time to time (it happenes on different machines) I have a very high load up to 100, and I see that there are up to 300/s writes to /var at the same time. Apache restart solves the problem. I would like to know the reason so I decided to use auditd. I've used: auditctl -w /var

Hi all, I've had this error rear it's ugly head again and I'm not exactly sure why. The output in /var/log/message is: crond[14764]: pam_loginuid(crond:session): set_loginuid failed opening loginuid crond[14765]: pam_loginuid(crond:session): set_loginuid failed opening loginuid crond[14811]: pam_loginuid(crond:session): set_loginuid failed opening loginuid

So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes

So I'm exploring AUDIT and have this in /etc/security/audit_control: dir:/var/audit flags:lo,fd minfree:20 naflags:lo policy:cnt filesz:0 I tell auditd to reread the config file with audit -s but no file deletion events are logged. I change the config file to: dir:/var/audit flags:lo minfree:20 naflags:lo,fd policy:cnt filesz:0 I type audit -s and am immediately flooded with 20 kilobytes

Dear All, Over the past week or so, I have spent some time updating Tom Rhodes' excellent FreeBSD Handbook chapter on Audit for some of the more recent audit changes, such as new features in more recent OpenBSM versions. Since FreeBSD 6.2-BETA2 contains what is likely the final drop of the audit code (modulo any bug fixes) for 6.2-RELEASE, now would be a great time for people interested

Hi I according to libvirt.org Audit log guide ,I install auditd in my system(ubuntu 16.04.2), but when I operate guest running in host, I can't not find guest audit log in /var/log/audit/audit.log, audit_level=1. when I change audit_level=2, I restart libvirtd, libvirtd start failed. Thanks

Hi. The auditd logs are full of lines referencing 28756E6B6E6F776E207573657229 , but I can't identify this account type=USER_LOGIN msg=audit(1364926580.306:249814): user pid=22565 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed' What would typically cause this ?

CentOS 4 - updated to current, rebooted to new kernel and now I can't get mysqld to start... # service mysqld start Timeout error occurred trying to start MySQL Daemon #tail -n 4 /var/log/messages Nov 12 00:48:56 srv1 kernel: audit(1131781736.221:4): avc: denied { write } for pid=4874 comm="mysqld" name="tmp" dev=dm-0 ino=2894305 scontext=root:system_r:mysqld_t

Hi, I am not very experienced with SELinux and I have a problem which I can't track down. Any help would be really appreciated. I have an 'install everything' Centos 4.2 system which I am using as a workstation. Before anyone tells me off for installing everything, I have done this in order to get used to CentOS before using it on live servers. Anyway when I log into X (gnome, gdm)

thanks for the head up. what os are you running on the blades?? Phillip James System Administrator The Garden City Group, Inc. 105 Maxess Road Melville, NY 11747-3836 Phone: (631) 470-5044 Fax: (631) 940-6561 E-mail: Phillip.James at GardenCityGroup.com ==================================================== This communication (including any attachments) is intended for the use of the intended

I have a Redhat 8.0 box with many external connections. Several nfs and 3 samba. Today I tried to reattach to one on my mounts and I am geting "Could not resolve mount point /mnt/dir". If I do an ls -a I can see the dir, but when adding the l option to ls it does not show up. fuser returns for the dir, Input/output error I apologize if this has nothing to do with Samba, but I am

FYI, since this is probably of interest to subscribers of this mailing list also. Robert N M Watson ---------- Forwarded message ---------- Date: Wed, 1 Feb 2006 22:55:40 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Julian Elischer <julian@elischer.org> Cc: trustedbsd-audit@TrustedBSD.org, K?vesd?n G?bor <gabor.kovesdan@t-hosting.hu>, current@freebsd.org

On Mon, 13 Jul 2015 02:19:23 +0000, Andrew Gideon wrote: > Look at tools like inotifywait, auditd, or kfsmd to see what's easily > available to you and what best fits your needs. > > [Though I'd also be surprised if nobody has fed audit information into > rsync before; your need doesn't seem all that unusual given ever-growing > disk storage.] I wanted to take this

hello all. My system is centos 5.x and there is no module related auditd there is no process(daemon) related auditd and selinux definately disabled. But I can see lots of auditd messages like below. Oct 20 02:01:01 linux kernel: type=1106 audit(1224435661.064:65210): user pid=25860 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,

Hey folks, Here at USC we have a few changes we make to the source code for various reasons -- and we have to make them for each new version. I always shrugged off sending a patch in because the changes felt very internal, but the more I think about it, the more I think perhaps they would be good for the main tree. Additionally, the more of this that gets into the main tree the easier upgrades

Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this? TIA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/3d4d491d/attachment.html>

Greetings: i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end: config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting

FYI for those working with audit and intrusion detection on FreeBSD. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 17:01:04 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: current@FreeBSD.org Cc: trustedbsd-audit@TrustedBSD.org Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS This is a heads up to current@ users

Hi, I am using auditd to monitor files for changes (read and write actually). I found that when auditd is running, it will correctly report files that are read, but will not report changes to a file that is being monitored. But if I stop auditd and load audit rules using auditctl, it will work as expected. Here's the audit rule: -w /tmp/audit-test -p rw -k __monitored__ What am I missing

All of a sudden I can no longer ssh into my server running CentOS 4.5 This is what happens: [john at lt-131-jdl-f7 ~]$ ssh -Y -p 2222 192.168.0.1 john at 192.168.0.1's password: Connection to 192.168.0.1 closed by remote host. Connection to 192.168.0.1 closed. And yes, the account does exist and the password is correct! Looking at the logs, I see this: Jun 7 18:51:37 moray1