Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [auditd]

auditd is the userspace component to the Linux Auditing System.

The auditd subsystem was developed by Steve Grubb and is used to write out audit records generated, generally within kernel space. It allows for monitoring, and logging, of such things as arbitrary system calls or filesystem access. The user space portion is also used as the logging engine for SELinux and pam_tty_audit.

151 questions
2
votes
2 answers

Problems with auditd rules files

I have a problem generating auditd rules on CentOS 7. I have 2 .rules files in my /etc/audit/rules.d/ directory. Both files are owned by root and only root has access. When I reload the rules using augenrules --load then run auditctl -l it says No…
fitzplb
  • 21
  • 1
  • 1
  • 2
2
votes
0 answers

How do I audit cgroup changes

I have a container process that is mysteriously changing cgroups long after it has been started. How do I track down who/what is changing it? I tried watching my audit log when manually doing a cgclassify command to switch my process and nothing got…
danielshiplett
  • 121
  • 2
2
votes
2 answers

What's stopping auditd from logging writes by Syslog when watching a Syslog file?

We've recently started using auditd on one of our Ubuntu servers. The example audit.rules file we were given has a rule like this: -w /var/log/syslog -p wra -k logs However, when syslog writes to the file, nothing gets logged by auditd. Similarly,…
simoesf
  • 81
  • 9
2
votes
0 answers

Linux Auditd tracking writes on external media

So I've been looking at ways to audit when a form of external media performs writes/ uploads on a Linux system. Currently the main solution I have come across is to simply audit when the mount and unmount syscalls occur, as tracking writes may…
wafflecoptr
  • 21
  • 2
2
votes
3 answers

What is the syslog facility for auditd logs?

Trying to forward only my auditd events by syslog, but I don't know which facility to use. I don't want to send everything to my syslog server as it would create redundancy in logging. I've set the audispd syslog plugin to active and from what I…
ThunderJack
  • 31
  • 1
  • 1
  • 5
2
votes
2 answers

How to tell if auditd has suspended logging?

If you put the following in your auditd.conf, auditd will suspend logging when you have 50MB or less space on your disk: admin_space_left = 50 admin_space_left_action = SUSPEND How can an external program, e.g. a monit check, know if auditd has…
2rs2ts
  • 325
  • 3
  • 11
2
votes
1 answer

How to enable syscall auditing in CoreOs?

Since CoreOs 766, the auditing subsystem is partially integrated: The audit subsystem has been enabled in the kernel and auditctl added to the image. Most audit events are ignored by default. The audit rules may be modified in…
0x90
  • 83
  • 8
2
votes
1 answer

How to log execution of a specific binary/script using auditd or other

I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script. I would like to log…
Rboreal_Frippery
  • 121
  • 1
  • 2
2
votes
1 answer

Why is audispd dropping events? What is in the queue?

My audispd keeps logging lots of queue full errors. Jun 9 08:46:29 web audispd: queue is full - dropping event I'd like to understand better why the queue is filling up and whether there is a better way to resolve the problem than continually…
Max Allan
  • 305
  • 1
  • 4
  • 11
2
votes
2 answers

auditd process stops logging after logrotate script runs

I am trying to use logrotate to keep audit logs for a set period of time rather than using auditd's special rotation (from /etc/audit/auditd.conf). I have changed the max_log_file_action to IGNORE in that file. The following is my logrotate…
Linux2012
  • 21
  • 1
  • 3
2
votes
1 answer

log bash command centralized server or any auditd saas

I'm looking for a way to track our sysmin work, in the servers. Lets say sysmin 1 and sysmin 2 have access to any server but we need to make sure and track anything that they do in our server. Something like: server 1 ---- auditd or…
Adam Ramadhan
  • 173
  • 1
  • 2
  • 9
2
votes
1 answer

Sudden new S11auditd in /etc/rc3.d

We have several machines running under Fedora 12. We have to deal with complete reinstallation quite often as our product comes with the whole distibution. I've noticed that sometimes soon after new installation a /etc/rc3.d/S11auditd becomes couple…
akalenuk
  • 533
  • 2
  • 6
  • 16
2
votes
2 answers

How to figure out which processes are deleting files from a specific directory?

I'm trying to figure out which processes are deleting files from a specific directory, so I want to set up and run auditd on my system. I've set up the following rule in audit.rules: -w S unlink -S truncate -S ftruncate -a exit,always -k…
Tola Odejayi
  • 314
  • 1
  • 4
  • 19
2
votes
1 answer

difference between success and failed event in auditd/aureport

The aureport command has two options that limit the list of displayed events to those that were successful and those that failed. Per the man page: --failed Only select failed events for processing in the reports. The default is both…
Christopher Neylan
  • 477
  • 5
  • 13
2
votes
2 answers

Auditing changes to the audit log

I have configured auditd for PCI compliance reasons PCI states that existing logs cannot be changed without generating an alert This article http://ptresearch.blogspot.com/2010/11/requirement-10-track-and-monitor-all.html recommends doing this: -w…
user185704
  • 55
  • 7
1 2
3
10 11