Questions tagged [auditd]
auditd is the linux operation for writing logs to the Linux Auditing System.
30
questions
1
vote
0
answers
74
views
Selinux policy to allow all access to script or to not log anything done by this script
I have a bash script running every 5 minutes in cron, that basically runs some commands like: mkdir, top, grep, date, wait, sleep, jstack. It runs on user bob.
It generates a lot of logs and I want to ...
- 11
2
votes
0
answers
164
views
How to determine what script is deleting files in Linux?
I run a Plex Media Server (PMS) on a ubuntu 22.04 system. There's been no update to the PMS libraries for a while, and I recently started adding a few movies to the collection. But what I've found ...
- 149
0
votes
0
answers
136
views
Auditd detects file changes in some paths but doens't work in others
I'm new to Auditd, I'm trying to watch for changes for some files but I can't get it to work, here are my example rules:
-D
# this works
-a always,exit -F path=/home2/ubuntu/test -F perm=war -F key=...
- 465
0
votes
1
answer
186
views
auditd not loading plugin on Debian 10
I am trying to load a plugin (laurel) in auditd on Debian 10. It loads and works on Debian 11 but I need it to run on Debian 10. I have the laurel binary in /etc/audit/plugins.d.
When I begin auditd ...
- 3
1
vote
0
answers
115
views
Partition keeps getting corrupted. How to prevent or boot anyway?
I am running RHEL7, and my audit log partition randomly (not often, but often enough to annoy me) gets corrupted, preventing me from booting. How can I either prevent the partition from being ...
- 113
0
votes
0
answers
113
views
How to downgrade or upgrade AuditD on redhat 8
OS version = Red Hat Enterprise Linux release 8.6 (Ootpa)
Kernel version = 4.18.0-425.3.1.el8.x86_64
I can't find a way to upgrade/downgrade auditd or auditctl.
I must change the version of the auditd/...
1
vote
0
answers
38
views
AuditD - right usage and syntax of -q flag in rules
I would like to use -q flag in auditd rule, but the rule with the -q flag is not working or even added into the rules list.
I have rule like this:
-a always,exit -F path=/home/lukashubl/ -q /home/...
- 11
0
votes
1
answer
116
views
include in log elevated sudo users
I'm new here, but I tried looking but couldn't get how to do it...
I have an ec2 linux box.
When a user directly connects to the machine I can view its ssh ip.
Now when a user does sudo -s for example ...
- 3
4
votes
0
answers
415
views
How to get persistent audit logs?
I am currently trying to figure out which application is creating a mysterious socket file called "no" in my home directory. It happens only every few weeks, that is why I have setup auditd ...
11
votes
1
answer
10k
views
How to stop journalctl showing audit logs and only keep it in a file?
I would like to have all auditd logs only in it's own log file and keep my journalctl view less polluted with events that most of the time, are generated by my own actions (single-user/personal ...
- 358
0
votes
1
answer
484
views
CentOS 8 auditd AVC denials message flood caused by denied setuid
Today my CentOS 8 suddenly frozen and not responding to user inputs.
When I tried to login from console, I saw messages like these:
audit: backlog limit exceeded
audit: backlog limit exceeded
audit: ...
- 1
1
vote
1
answer
223
views
How to configure Auditd to see directory name change?
In my /etc/audit/audit.rules, I have the following watch:
-w /some/place/special -p rwxa -k my_key
On my filesystem, I have the following tree:
/some/place/special/foo/test-rename/james/sub-...
- 11
1
vote
1
answer
86
views
RH / OL 6 auditd login user not audited
I want to audit all commands on Linux servers. We all have our own login accounts to do things but sometimes we need root access. That's no problem.
But when logging in with my user my actions aren't ...
- 13
0
votes
0
answers
1k
views
rsyslogd vs auditd? Are they alternatives or complement each other?
I see that both auditd and rsyslogd services are running (on my OpenSuse Leap 15 box). A quick google didn't give a good answer.
Are these services doing the same job? i.e. Could i get rid of one of ...
- 19
1
vote
1
answer
977
views
auditctl: Syscall name unknown: socket
I have my original Problem discribed here: https://serverfault.com/questions/958571/what-these-dns-queries-means. It's about UDP packets, the origin of which I can not determine. To solve the problem ...
- 23