Skip to main content
Server Fault

Questions tagged [auditd]

Ask Question

auditd is the userspace component to the Linux Auditing System.

166 questions
Newest Active Bountied Unanswered
0 votes
1 answer
277 views

I've encounterd an odd behavior I do not fully understand. Journald is supressing auditd messages being send out by rsyslog to a remote server for some reason on my centos 7-x64 VM: Thats the ...
shark0x00's user avatar
  • 3
2 votes
0 answers
264 views

On some Ubuntu 22 and 24 systems, syslog is being cluttered with messages like this which is completely uninteresting: Feb 05 16:17:01 myhost.example.com audit[353829]: AVC apparmor="ALLOWED"...
Troels Arvin's user avatar
  • 672
1 vote
1 answer
407 views

I have an /etc/audit/rules.d/audit.rules file with the following: -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 ...etc... -a always,exit -F arch=b64 -S chown,fchown,...
MarkX999's user avatar
  • 11
0 votes
1 answer
113 views

I am trying to log file operations using auditd (audit 4.0.1) and came across an issue with moving files. If I include the filename in the destination: mv /mnt/user/home/file.txt /mnt/user/home/...
user2328273's user avatar
  • 109
1 vote
0 answers
25 views

I've installed the lwp-download package on Debian 11 and add some rules into auditd custom.rules file. -i --reset-lost -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/lwp-download -k github_bash ...
Ilya Shmadchenko's user avatar
  • 53
0 votes
1 answer
242 views

I have AuditD running and one process like to constantly spawn children processes that do the same activity. Is there a way to have rsyslog not send in the same log message again? The hard part is the ...
Jason's user avatar
  • 3,971
0 votes
0 answers
541 views

I have a system where we use PHP to run some rudimentary health checks on the server. When hitting a status page, it verifies that certain processes are running, and returns an error message if ...
Jared's user avatar
  • 383
1 vote
0 answers
720 views

I configured auditd to send the logs to SIEM through rsyslog. But when I get those logs the proctitle is in hex. Ex.: <134>Aug 25 17:08:44 vmauditd tag_audit_log: node=vmauditd type=PROCTITLE ...
Sandson Costa's user avatar
  • 111
1 vote
1 answer
240 views

When using an email address in /etc/audit/auditd.conf, there is an option verify_email which is defined as, This option determines if the email address given in action_mail_acct is checked to see if ...
J'e's user avatar
  • 75
3 votes
1 answer
8k views

I have some Linux servers that are getting errors like the below in the logs... auditd[1074]: Error receiving audit netlink packet (No buffer space available) I know HOW to resolve the issue (tweak ...
Egyas's user avatar
  • 335
1 vote
1 answer
895 views

On Ubuntu 20, I'm trying to send audit logs to [email protected]. I do have a real domain and email server but I'm redacting them here. When I trigger an audit event, the email is instead sent ...
J'e's user avatar
  • 75
2 votes
2 answers
3k views

I recently had an issue where my server powered off in the middle of running a script, seemingly randomly, but at about the same point each time, and then whenever I tried to power the server on again ...
Dave's user avatar
  • 121
1 vote
1 answer
228 views

I'm updating our Auditd rules (Red Hat Linux) to log all tty/interactive commands from all users. That part works no problem. What I'm trying to do now is to exclude commands issued by our salt-...
Egyas's user avatar
  • 335
0 votes
1 answer
462 views

I am running RHEL7, and my audit log partition randomly (not often, but often enough to annoy me) gets corrupted, preventing me from booting. How can I either prevent the partition from being ...
dberm22's user avatar
  • 61
1 vote
2 answers
1k views

Some of application (it's unknown) makes sporadic nonregular rare short outbound HTTP(S) requests to a known host/port/url (this is a WAF honeypot, host/url/port is known) using HTTPS protocol. ...
lospejos's user avatar
  • 956

15 30 50 per page
1
2 3 4 5
12