Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [audit]

159 questions
62
votes
1 answer

How do I monitor opened files of a process in realtime?

I know I can view the open files of a process using lsof at that moment in time on my Linux machine. However, a process can open, alter and close a file so quickly that I won't be able to see it when monitoring it using standard shell scripting…
gertvdijk
  • 13,459
  • 7
  • 45
  • 59
23
votes
3 answers

How to disable useless "audit success" log entries in dmesg

Short version: How to disable audit messages (dmesg) on a Fedora system? A Fedora system keeps logging "audit: success" messages in dmesg - in such an extreme way that dmesg has become unusable because it's filled up by these messages (dmesg | grep…
basic6
  • 6,105
  • 4
  • 24
  • 29
22
votes
4 answers

Finding command execution time in hindsight

I've just executed a long-running process from the bash prompt. In hindsight, I wish I'd run time on it, or noted down the time at which I kicked it off. Is there any way of getting this information retrospectively? The .bash_history doesn't seem to…
Graham Borland
  • 353
  • 2
  • 6
19
votes
2 answers

How to disable sudo related logging for successful command execution under CentOS/Fedora?

You can disable sudo related log messages via adding something like Defaults:juser !syslog to the sudoers file. That will disable logging to syslog. But under e.g. CentOS/Fedora there is an auditd enabled by default which continues to (verbosely)…
maxschlepzig
  • 56,316
  • 50
  • 205
  • 279
18
votes
3 answers

Is there an easy way to log all commands executed, including command line arguments?

I am trying to find how to log a specific instantiation of rrdtool to see whether the path it is receiving is incorrect. I know I could wrap the executable in a shell script that would log the parameters, but I was wondering if there was a more…
Peter Grace
  • 697
  • 2
  • 6
  • 12
16
votes
1 answer

How to log all system calls made by a process and all its descendants with auditd

I can do auditctl -a always,exit -S all -F pid=1234 To log all the system calls done by pid 1234 and: auditctl -a always,exit -S all -F ppid=1234 For its children, but how do I cover the grand-children and their children as well (current and…
Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
10
votes
3 answers

Proper syntax for "id -r" command

I'm trying to see if id -r will print out the UID or username of the user who logged into the system despite any su's or sudo's. I'm interested in doing this so I can keep people a little more accountable and to tailor script functioning accordingly…
Bratchley
  • 16,684
  • 13
  • 64
  • 103
10
votes
2 answers

Display a file's history (list of users that have modified a file)

Is there a command to display a list of users who modified a file providing a file history? I know that possible with svn/git etc.. but we have a config file that is not in SVN and someone modified it.
Abdullah
  • 203
  • 1
  • 2
  • 6
9
votes
1 answer

How to audit access to any file or folder within a given path for specific user

I've been reading some information about configuration of auditd and I just can't figure this out, what I know how to do Log specific system calls by a user Log access to a specific file by all users What I can't figure out is however: how to set…
Petr
  • 1,691
  • 4
  • 21
  • 31
9
votes
2 answers

Why do I get "Permission Denied" errors even though I have group permission?

I'm trying to run a game called "Dofus", in Manjaro Linux. I've installed it with packer, that put it under /opt/ankama folder. This folder ownership (and for every file inside it) is root user, and games group. As instructed by the installing…
Ramon Dantas
  • 93
  • 1
  • 1
  • 4
8
votes
2 answers

How do I add network or user source connection data to history entries?

I would like to modify the history settings for all users on the systems that I manage. I would like it to contain the information from the connecting terminal like from who sysadmin:/ # who sysadmin pts/0 Mar 26 07:11…
2bc
  • 3,938
  • 1
  • 17
  • 18
8
votes
1 answer

How to best track adventures of a novice administrator

I have this user that has limited sudo privileges, yet he manages to screw up from time to time. I would like to keep an eye on his adventures, so that I can reverse any damage with less digging. Ideally, I'd want a service with the following…
Ondřej Grover
  • 403
  • 3
  • 8
8
votes
2 answers

How do I view executables run by a program?

Is there a way to view or get a list of executables that a program uses? A particular example is file-roller. Is there a way to see which executables it uses, if there is more than one executable it could use for the same task, e.g. unrar and…
Eric
  • 81
  • 1
  • 2
7
votes
3 answers

Uncover sudoer user with root privileges which ran command X?

I'm the main sysadmin of a system. In the system there are 3 sudoers users with root's privileges. The system runs a script in background which check the hash of system's utilities to detect possible malicious changes. Today I was alerted that the…
user1464633
  • 71
  • 1
  • 2
7
votes
2 answers

List all programs used by a shell script

I'm trying to figure out a method to list all the programs that a script will use when it will be run, without actually running it. I've written these quick and dirty oneliners: # fill an array with all the useful words except variables, options,…
baselab
  • 621
  • 4
  • 14
1
2 3
10 11