Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

151 questions
13
votes
6 answers

Files disappearing on linux server

I've got 4 specific files that seem to keep disappearing from a user's home directory. As far as we know, there are no cronjobs or other automated tasks that would be removing them. I've setup auditd on them but the logs aren't really showing…
Chad P
  • 1,460
  • 2
  • 14
  • 16
10
votes
2 answers

Is there a way to know why a service is restarted and who did it?

Ubuntu 14.04 clamav 0.98.7 The problem is clamav-daemon is restarted nearly daily: Sep 1 06:30:00 x-master clamd[6778]: Pid file removed. clamd[6778]: --- Stopped at Tue Sep 1 06:30:00 2015 clamd[5979]: clamd daemon 0.98.7 (OS: linux-gnu, ARCH:…
quanta
  • 50,327
  • 19
  • 152
  • 213
10
votes
6 answers

How to find out PID of the process sending packets (generating network traffic)?

Couple of weeks ago I had an issue where I changed DNS addresses in large network of around 300 nodes. After that, some of the nodes still continued to ask old DNS servers, although resolv.conf was ok, and host/nslookup were querying new DNS…
Jakov Sosic
  • 5,157
  • 3
  • 22
  • 33
9
votes
4 answers

File audit in Linux: how to watch directory tree for deletions?

I have a forum script running on server and somehow small number of attachments begin to get lost. I want to find out what is deleting them and at what time. How can I setup Linux auditd (auditctl) to watch directory tree (attachments are stored…
Vladislav Rastrusny
  • 2,581
  • 12
  • 39
  • 56
7
votes
2 answers

auditd execve arguments that looks like encoded data

I'm logging all execve's in a sort of honey pot box and as such I try to make sense of the commands. There's many many of these, all with 'bash -c' and some long alpha numerical value not enclosed in double quotes. How can I understand what I'm…
3molo
  • 4,340
  • 5
  • 30
  • 46
6
votes
2 answers

What does auditd log by default (i.e. when no rules are defined?)

I installed auditd and audispd-plugins on my Debian Jessie machine and didn't touch any configuration. I see events being written to /var/log/audit/audit.log, for example: type=LOGIN msg=audit(1462384141.770:838): pid=3662 uid=0 old-auid=4294967295…
2rs2ts
  • 325
  • 3
  • 11
6
votes
1 answer

How to find out what what's creating temporary files

I notice a lot of empty files in /tmp with names similar to "/tmp/tmp.tMIHx17730". I run audit rule and I found out that mktemp is creating it which is not too helpful. How do I find out which script calls mktemp to create these files? Can I capture…
NickSoft
  • 248
  • 6
  • 22
6
votes
3 answers

Centos 6.5 auditd fails to start with service or /etc/init.d/audit start

Fail: # service auditd start Starting auditd: [FAILED] Fail: # /etc/init.d/auditd start Starting auditd: [FAILED] And frustatingly - works: # bash…
Jepper
  • 356
  • 1
  • 4
  • 13
6
votes
1 answer

Suggestion for auditd set-up

I am trying to learn about securing a Linux box (I am using Ubuntu). Auditd is recommended for monitoring activities on the node. I have managed to install it, but I can't find much information about proper set-up to secure my node. How should I…
Jérôme Verstrynge
  • 4,747
  • 7
  • 23
  • 34
5
votes
1 answer

What's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in `auditctl`?

My server is centos7.6 with auditd 2.8.5 In audit rule, I set: -a always,exit -F arch=b32 -S adjtimex,settimeofday -F key=time-change But this rule also record normal ntpd activities,then I tried to revise this rule to: -a always,exit -F…
kittygirl
  • 855
  • 4
  • 10
  • 29
5
votes
2 answers

Getting auditd to record the original user

This question is related to my previous question: Log all commands run by admins on production servers It is company policy for admins to login to the servers via a personal username, and then run sudo -i to become root. Upon running sudo -i, sudo…
Soviero
  • 4,306
  • 7
  • 34
  • 59
5
votes
1 answer

pam_tty_audit and non privileged users

I'm working on a cents 6.3 box and am trying to log all commands executed from a bash shell and came across pam_tty_audit. I've added the appropriate line to my /etc/pam.d/system-auth file: session required pam_tty_audit.so enable=* The…
Jeff
  • 51
  • 2
4
votes
2 answers

Reducing the verbosity of auditd, my minimal rules catch stuff they should not (apparmor)

My auditd rules and my needs are fairly simple, I want only to log root actions. # auditctl -l -a always,exit -S all -F euid=0 -F perm=x -F key=ROOT_ACTION That is the only rule, and it works: type=SYSCALL msg=audit(1550318220.514:11479):…
Nanzikambe
  • 265
  • 2
  • 8
4
votes
1 answer

View auditd logs in journalctl

I'm using CentOS 7. trying to view auditd logs in journalctl When I try journalctl -u auditd I see the following output: -- Logs begin at Wed 2018-09-05 08:59:19 EDT, end at Wed 2018-09-19 15:01:01 EDT. -- Sep 05 12:59:25 centos7 systemd[1]:…
kenlukas
  • 2,886
  • 2
  • 14
  • 25
4
votes
2 answers

How to log all commands run on Linux including their arguments (parameters)?

How can I log all commands executed on Linux, including their command-line arguments (parameters)? So, for example, if someone runs: rm -rf /tmp/foo I would see a log entry similar to this: 2016-01-01 18:00:00 user=bob command='rm -rf…
Neil
  • 2,345
  • 8
  • 35
  • 44
1
2 3
10 11