Questions tagged [audit]
The audit tag has no usage guidance.
169
questions
0
votes
0
answers
20
views
Auditd not logging certain user management events
I'm trying to track user management changes such as adding user to groups.
I'm currently testing it on 2 machines and receive different results:
Ubuntu 22.04.3 LTS (Jammy Jellyfish)
Rocky Linux 9.2 (...
0
votes
0
answers
18
views
AuditD - tuning out parent and children
I'm reading over the AuditD readmes and I see how you can use filters but is there a way that you can tune out a parent and any activity they create along with their children processes?
For example, I ...
0
votes
1
answer
88
views
auditd logs- /lib/ld-linux-x86-64.so.2 flooding logs
I am running auditd on a Debian 11 server with a very generic set of audit rules. The audit log is filled with entries like below. I'm not sure what they are - can anyone help identify these? I'm ...
2
votes
1
answer
297
views
Enabling command hashing in tcsh
It seems command hashing is disabled by default in our tcsh environment, and I'm not permitted to get it enabled across the board. Instead I'm looking to enable command hashing within individual ...
1
vote
1
answer
71
views
Force tcsh to check whether command exist in the path before attempting to execute it
I've noticed that tcsh, regardless of whether "-f" flag is passed on the shebang line, will iterate through $PATH, and try to execute the command from that path until the command is found. ...
1
vote
1
answer
218
views
How do I configure auditd to print the ppid name, not just the ppid?
OS is Debian. I have set up auditd to try and determine what is rebooting a system.
I have the following rule:
-a exit,always -F arch=b64 -S execve -F path=/bin/systemctl -k debug_test
Creating a ...
0
votes
1
answer
849
views
audit rule doesn't load via systemctl restart auditd
I was trying to see what was enabling ipv4 forwarding in file /proc/sys/net/ipv4/ip_forward (I've discovered that this was docker, but I'd still like to understand my auditd issue)
So I decided to ...
0
votes
0
answers
57
views
Find most common offender in audit.log
I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is ...
0
votes
1
answer
42
views
Users setup with misspelled name - CentOS 8
I have a user with a misspelled username on my CentOS 8 system which I thought I had corrected but I have noticed the username is showing up in the audit log incorrectly.
The correct username is:
...
-1
votes
1
answer
103
views
I would like to audit an Ubuntu server to get a list of all files executed and all files read by the kernel
I want to be able to instrument and analyze at a prebuilt server and get a list of every file read.
I would also like to determine which of those files were read by the kernel to execute a program, ...
1
vote
2
answers
606
views
Linux How to find the id of a user who ran some particular command using sudo [duplicate]
In shared environment where multiple users have sudo account, I want to find out underlying user id (not a sudo account) details who has invoked particular script. Thanks.
I tried below but it does ...
0
votes
3
answers
471
views
In Linux how to find if a file was read and at what time
Is there a tool or command where we can see if a file was read and at what time? I would only find for last modified.
0
votes
0
answers
397
views
Audit Logging Discrepancy: Journald vs Rsyslog
After installing Debian 12 and rsyslog 8.2302 (for TLS remote syslog), I noticed that apparmor logs (or any audit logs) were not being sent remotely.
After reviewing the local system, journald DOES ...
1
vote
0
answers
37
views
Linux audit logs coming in with capitalized field names (SYSCALL, AUID) Rhel 7
I've never encountered this before so not even sure where to start. I'm installing a log parser on a system but for some reason all audit logs are coming in with the field names capitalized. So ...
1
vote
1
answer
346
views
audit does not record file events (but works for network events) in fedora
I want to monitor access to a file using audit, and hence added the following rule
-w /home/test.txt -k monitoring-test
I reloaded the rules (sudo service auditd restart) and modified the file /home/...