Questions tagged [audit]
The audit tag has no summary.
175 questions
4
votes
1
answer
275
views
How to log event on a directory (deletion)
I have a folder on my RHEL 9 server that gets deleted every few days, but I don’t know which process or user is responsible.
I’d like to log all events related to this folder, particularly deletions.
...
- 157
0
votes
0
answers
14
views
Hpux 10.20: auditing enabled and report..nothing
I have enabled auditing on hpux 10.20
vim /etc/rc.config.d/auditing
AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1="...
- 13.6k
0
votes
0
answers
60
views
Configuring audit log and Syslog Collection over TLS
I have two RHEL 9.4 systems and I want to configure auditing on both systems. The one RHEL system will be used for a basic linux system for testing, and the other will be used for a Syslog server for ...
- 1
0
votes
1
answer
267
views
dmesg log being flooded by audit, can I somehow prevent it?
I'm torrenting with Transmission GTK. My dmesg log is being flooded by audit, and without knowing what good it is for, I do not even care much, I cannot use dmesg for other purposes. It floods so fast ...
- 30.2k
0
votes
0
answers
160
views
How can I get `auditctl` to provide error information?
EDIT
This may be the result of an issue with the Arch package.
I am learning to use the linux audit system. Right now I have several rulesets in the /etc/audit/rules.d directory.
When I run
...
- 21
0
votes
0
answers
234
views
AuditD understanding exit,always,exclude,never
I see these 4 exit, always, exclude, and never commonly used in many different combinations like below:
-a exit,always
-a exit,never
-a exclude,always
-a exclude,never
I'm trying to understand what ...
- 1,754
0
votes
0
answers
98
views
Auditd not logging certain user management events
I'm trying to track user management changes such as adding user to groups.
I'm currently testing it on 2 machines and receive different results:
Ubuntu 22.04.3 LTS (Jammy Jellyfish)
Rocky Linux 9.2 (...
0
votes
0
answers
46
views
AuditD - tuning out parent and children
I'm reading over the AuditD readmes and I see how you can use filters but is there a way that you can tune out a parent and any activity they create along with their children processes?
For example, I ...
- 1,754
0
votes
1
answer
262
views
auditd logs- /lib/ld-linux-x86-64.so.2 flooding logs
I am running auditd on a Debian 11 server with a very generic set of audit rules. The audit log is filled with entries like below. I'm not sure what they are - can anyone help identify these? I'm ...
- 15
2
votes
1
answer
403
views
Enabling command hashing in tcsh
It seems command hashing is disabled by default in our tcsh environment, and I'm not permitted to get it enabled across the board. Instead I'm looking to enable command hashing within individual ...
- 164
1
vote
1
answer
125
views
Force tcsh to check whether command exist in the path before attempting to execute it
I've noticed that tcsh, regardless of whether "-f" flag is passed on the shebang line, will iterate through $PATH, and try to execute the command from that path until the command is found. ...
- 164
1
vote
1
answer
514
views
How do I configure auditd to print the ppid name, not just the ppid?
OS is Debian. I have set up auditd to try and determine what is rebooting a system.
I have the following rule:
-a exit,always -F arch=b64 -S execve -F path=/bin/systemctl -k debug_test
Creating a ...
- 147
0
votes
1
answer
2k
views
audit rule doesn't load via systemctl restart auditd
I was trying to see what was enabling ipv4 forwarding in file /proc/sys/net/ipv4/ip_forward (I've discovered that this was docker, but I'd still like to understand my auditd issue)
So I decided to ...
- 91
0
votes
0
answers
170
views
Find most common offender in audit.log
I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is ...
- 8,271
0
votes
1
answer
53
views
Users setup with misspelled name - CentOS 8
I have a user with a misspelled username on my CentOS 8 system which I thought I had corrected but I have noticed the username is showing up in the audit log incorrectly.
The correct username is:
...
- 1