Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [linux-audit]

Content related to the Linux Audit standard which is the most popular auditing tool used in GNU/Linux distributions.

108 questions
19
votes
2 answers

How to disable sudo related logging for successful command execution under CentOS/Fedora?

You can disable sudo related log messages via adding something like Defaults:juser !syslog to the sudoers file. That will disable logging to syslog. But under e.g. CentOS/Fedora there is an auditd enabled by default which continues to (verbosely)…
maxschlepzig
  • 56,316
  • 50
  • 205
  • 279
16
votes
1 answer

How to log all system calls made by a process and all its descendants with auditd

I can do auditctl -a always,exit -S all -F pid=1234 To log all the system calls done by pid 1234 and: auditctl -a always,exit -S all -F ppid=1234 For its children, but how do I cover the grand-children and their children as well (current and…
Stéphane Chazelas
  • 522,931
  • 91
  • 1,010
  • 1,501
9
votes
2 answers

Why do I get "Permission Denied" errors even though I have group permission?

I'm trying to run a game called "Dofus", in Manjaro Linux. I've installed it with packer, that put it under /opt/ankama folder. This folder ownership (and for every file inside it) is root user, and games group. As instructed by the installing…
Ramon Dantas
  • 93
  • 1
  • 1
  • 4
7
votes
1 answer

How to send audit logs with audisp-remote and receive them with netcat

I am trying to configure a CentOS 7 running in VirtualBox to send its audit logs to the host which is FreeBSD 10.3. Ideally, I'd like to receive the logs with FreeBSD's auditdistd(8) but for now I'd just like to be able to use netcat for that. My…
Mateusz Piotrowski
  • 4,623
  • 5
  • 36
  • 70
6
votes
1 answer

How to exclude auditd messages from dmesg and only log them in /var/log/audit.log

I use audit to log suspicious user actions on a workstation in my institution. I found that, in addition to logging to /var/log/audit.log, auditd also writes to /var/log/messages. Consequently, unprivileged user can view the logged record simply…
Yun-Chih Chen
  • 436
  • 4
  • 9
6
votes
1 answer

Can someone give an example as to why I'd want to induce a kernel panic using auditd?

We recently implemented some auditd rules in response to an external security audit. My colleague offered some input on them and suggested adding -f 2 to /etc/audit.rules. I can't think of an instance when I would want to induce a kernel panic…
theillien
  • 1,308
  • 4
  • 15
  • 34
5
votes
1 answer

Audit on changes to the running iptables configuration

I'm aware of how to audit for changes to the /etc/sysconfig/iptables file in CentOS/RHEL 6 and earlier, but how do I audit for changes made only to the running configuration?
Bratchley
  • 16,684
  • 13
  • 64
  • 103
4
votes
1 answer

Auditd, Syslog and Journald

I have been investigating about these three logging solutions auditd, syslog, and journald, but still there are thing that unclear to me. According to the things I read, auditd audits events in the kernel and it has very deep and strong view on the…
Eran Nahshon
  • 41
  • 1
  • 2
4
votes
1 answer

Can aureport show the full path to files?

I'm tailing auditd.log and piping it into ausearch and then aureport, with the aim of getting a simple stream of modified files: tail -f /var/log/audit/audit.log | ausearch -k my_key | aureport -f --success -i While aureport seems to do the job of…
Cocowalla
  • 173
  • 6
4
votes
0 answers

What is the modern way to develop a Linux auditing kernel module?

I'm new to Linux Kernel development, and I am now assigned a task to develop a Linux kernel module, which can monitor the network, filesystem, USB and serial ports. I am aware of the things like netfilter/iptables, libpcap, inotify and lse (linux…
haohaolee
  • 141
  • 2
4
votes
1 answer

linux audit events not passed to go-audit

We're attempting to use slack's go-audit tool to capture/process linux audit events. More info: https://github.com/slackhq/go-audit The issue is that the linux audit is correctly picking up events, but these are not being picked up by go-audit, or…
tomg
  • 41
  • 2
4
votes
1 answer

Undocumented format of Linux Audit log records

I am writing a parser for Linux Audit and I stumbled upon some weird cases which doesn't seem to comply with the standard. My reference is the Red Hat's documentation. A proper audit record should look like this: type=USER_CMD…
Mateusz Piotrowski
  • 4,623
  • 5
  • 36
  • 70
4
votes
1 answer

Identifying source of audit messages in kern.log

I recently installed the auditd package on my Debian machine. I did some testing with auditctl, creating a single rule to watch a directory, proved something, and then removed and purged auditd. Subsequently, I'm still seeing these entries in…
EightBitTony
  • 20,963
  • 4
  • 61
  • 62
4
votes
0 answers

Replacement for auditd in OpenVZ

Are there any replacements for auditd to use in OpenVZ containers? ProxMox VE (pve-manager/3.4-6/102d4547 (running kernel: 2.6.32-39-pve)
Someone
  • 193
  • 1
  • 2
  • 15
4
votes
1 answer

Disable syslog logging for auditd

auditd sending logs to /var/logs/messages we want to disable it. How to do that? /etc/audisp/plugins.d/syslog.conf i changee active = no but still sending lots to syslog
Satish
  • 1,632
  • 3
  • 34
  • 60
1
2 3 4 5 6 7 8