Content related to the Linux Audit standard which is the most popular auditing tool used in GNU/Linux distributions.
Questions tagged [linux-audit]
109 questions
2
votes
1 answer
How to parse audit_cmd in auditd logs?
I have some lines of auditd.log that contains the key audit_cmd followed by a long string of HEX.
type=USER_CMD msg=audit(): pid= uid= auid= ses=72940 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023…
Tom Klino
- 842
2
votes
0 answers
Is it possible to have auditd log different rules in different log files?
I would like to have some rules logged in a file that is not the default log file defined in /etc/audit/auditd.conf. Is there a way to have auditd log some rules in a separate file?
Something like -w /tmp -LOGFILE /var/log/someother/location/log?
Tom Klino
- 842
2
votes
1 answer
Using auditd to capture "permission denied" notices
I'm trying to figure out how to log/track when a user gets a Permission denied notice after attempting to access a file. I've read that adding a rule to /etc/audit/audit.rules can accomplish this.
The only suggestion that I've seen mentioned appears…
theillien
- 1,308
1
vote
0 answers
How does auditd get notified that the current audit.log is at its max size?
We recently realized that our current configuration for auditd was causing our /var/log/audit filesystem to become full so I started to play around with the /etc/audit/auditd.conf file to try to fix that. I modified the conf file to look like…
Zack Schmidt
- 41
- 3
1
vote
1 answer
auditd exchange protocol
I'm currently working with auditd. It can be configured to send logs to a remote server using audispd.
But instead of running another auditd instance on a target machine I just want to write my own program to process incoming logs. And here is the…
Hubert
- 111
1
vote
0 answers
Interpreting auditd logs part1
Recently, we've enabled auditd on one of our CentOS 7.3 servers and while reviewing some basic reports, I've noticed there's a ton of failed events, say around ~10K a day:
# aureport -x --failed | grep 03/29 | wc -l
10454
I'm trying to understand…
user223509
- 11
1
vote
0 answers
Why is the "wrong" process killed?
I am using auditd to monitor my system for kills.
Normally I see the following pair of lines. As an example from a bash shell I have performed a kill -9 on a sleep command with pid 16207.
As I understand it, a0=3f4f in the SYSCALL is the hex…
BarneyW
- 11
1
vote
0 answers
linux audit rules excluding based on type msg exe, for the su command
I have the below events that occur repeatedly in my audit.log.
Can someone provide the valid syntax of the rule for the audit.rules file, that would prevent these 6 specific entries?
Ideally I want the filter to apply for type= for the six shown…
ron
- 6,575
0
votes
1 answer
Audit log configuration solution
I have a RHEL server in which I have configured an audit rule to log a specific event. I wanted to forward those logs to a remote syslog server. I couldn't find a way to forward those specific logs so I configured forwarding for all audit logs to…
0
votes
0 answers
auditd: re/load of rules on reboot only
Is this possible to configure auditd system from the LAS, only in a way that the rules are loaded after a reboot of the system?
Currently the way it is, is that it needs a restart of the service through systemctl restart auditd, however, I would…
user594385
0
votes
0 answers
auditd does not record actiosn by apache/php
I have a PHP/Apache2-based webservice and I want to audit every file-IO action it does.
I use auditd as recommended here.
I set up audit.d like this
## enable ruleset
-e 1
## limit rate
-r 1000
## monitor
-w /var/www/html/my/path/ -p rwxa -k…
Paflow
- 101
0
votes
1 answer
auditd augenrules lost meaning
[root@rock:/var/log/audit] : service auditd status
Redirecting to /bin/systemctl status auditd.service
auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
…
ron
- 6,575
0
votes
1 answer
Is there an alternative to auditd enabling different log files per filters?
Auditd do not enable to log different filters in different files (cf man pages). Is there an alternative to it which makes it possible, in particular to separate accounts activities?
lalebarde
- 203