Questions tagged [linux-audit]
Content related to the Linux Audit standard which is the most popular auditing tool used in GNU/Linux distributions.
117 questions
0
votes
0
answers
68
views
The audisp-syslog process started by auditd when configured to send events to syslog does not log events. When it is killed and restarted, it works
The auditd system on an Oracle 8.10 linux system is configured to start the audisp-syslog plugin to send audit events to syslog (rsyslog in this case) for onward processing. The following is the ...
- 1
0
votes
0
answers
111
views
audit rule syntax exclude dir wildcard
For RHEL-8.10 in /etc/auditd/rules.d/audit.rules I would like to exclude /home/*/.cache/mozilla. The system has 100+ users in /etc/passwd so I do not want to do 100+ audit rule lines with a -a exit,...
- 9,092
0
votes
0
answers
86
views
SELinux Blocking Actions in AuditD Plugin – How to Resolve Without Switching to Permissive Mode?
Problem:
I'm facing an issue where SELinux is blocking certain actions of my application, which runs as a plugin for auditd. I've been trying to generate the necessary SELinux policy using audit2allow,...
- 1
2
votes
1
answer
240
views
How to know what sends a broadcast packet on port 8765
While looking at the traffic on Wireshark, I noticed my computer was sending a UDP packet every three seconds on the broadcast address to the port 8765, with the content "*" (42 in ASCII). ...
- 225
0
votes
0
answers
335
views
How can I get `auditctl` to provide error information?
EDIT
This may be the result of an issue with the Arch package.
I am learning to use the linux audit system. Right now I have several rulesets in the /etc/audit/rules.d directory.
When I run
...
- 21
0
votes
0
answers
174
views
Monitoring start and stop processes
Im trying to monitor the start and stop of processes on a server with auditd, using the following rule
-w /usr/bin/ -p x -k T1569.002
However, when raising an event to generate the log and searching ...
3
votes
1
answer
787
views
Selinux seems to be blocking but no denied message appearing in audit log
I have a script executed by a Java app with testmod_t context. This script does
chage -M -1 user
to set a user to no expiry. However, when SELinux is enforcing, the command does not seem to do ...
- 31
1
vote
1
answer
277
views
Why does augenrules refuse to run even when sudo is used?
I have Amazon Linux 2023 running in a Docker container and I would like to be able to load some custom audit rules into the kernel and ensure they are persisted when the container restarts. I have ...
- 13
0
votes
1
answer
269
views
Audit service does not audit commands
OS sles 15, audit service enabled
When I issue any command (for example, date or ls), I expect it to be logged in audit.log, something like this:
type=SYSCALL msg=audit...
type=EXECVE msg=audit(...
- 371
4
votes
1
answer
544
views
SELinux does not log denial
SELinux does not allow auditd to start the process (named myplagin) and does not log the reason in the /var/log/audit/audit.log. The only mention of the denial I found in the /var/log/messages: ...
- 371
0
votes
1
answer
517
views
Audit log configuration solution
I have a RHEL server in which I have configured an audit rule to log a specific event. I wanted to forward those logs to a remote syslog server. I couldn't find a way to forward those specific logs so ...
0
votes
0
answers
204
views
Find most common offender in audit.log
I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is ...
- 9,092
2
votes
0
answers
140
views
SOCKET auditd hex value meaning
I have the following log messages from auditd. They appear to log calls to socket.
type=SYSCALL msg=audit(05/11/2023 23:19:52.913:2533) :
arch=x86_64 syscall=socket success=yes exit=9
a0=inet a1=...
- 21
1
vote
1
answer
621
views
audit does not record file events (but works for network events) in fedora
I want to monitor access to a file using audit, and hence added the following rule
-w /home/test.txt -k monitoring-test
I reloaded the rules (sudo service auditd restart) and modified the file /home/...
- 113
1
vote
0
answers
555
views
RHEL 9.1 - SELinux is preventing /usr/local/bin/php from read access on the file /web/inc/init_db.inc.php
i want to solve this problem what SELinux says.
SELinux is preventing /usr/local/bin/php from read access on the file /web/inc/init_db.inc.php.
output from console is:
[root@rhel ~]# ausearch -c 'php'...
- 11