Skip to main content
Unix & Linux

Questions tagged [audit]

Ask Question

The tag has no summary.

172 questions
Newest Active Bountied Unanswered
2 votes
0 answers
154 views

My dmesg log is littered with the following kind of lines: [ +0.000009] audit: type=1400 audit(1745688898.020:223710): apparmor="ALLOWED" operation="getattr" class="file"...
einpoklum's user avatar
  • 11.1k
4 votes
1 answer
488 views

I have a folder on my RHEL 9 server that gets deleted every few days, but I don’t know which process or user is responsible. I’d like to log all events related to this folder, particularly deletions. ...
executable's user avatar
  • 187
1 vote
1 answer
667 views

I'm torrenting with Transmission GTK. My dmesg log is being flooded by audit, and without knowing what good it is for, I do not even care much, I cannot use dmesg for other purposes. It floods so fast ...
Vlastimil Burián's user avatar
  • 31.3k
0 votes
0 answers
387 views

EDIT This may be the result of an issue with the Arch package. I am learning to use the linux audit system. Right now I have several rulesets in the /etc/audit/rules.d directory. When I run ...
Ben Little's user avatar
  • 21
0 votes
1 answer
337 views

I am running auditd on a Debian 11 server with a very generic set of audit rules. The audit log is filled with entries like below. I'm not sure what they are - can anyone help identify these? I'm ...
user1309220's user avatar
  • 15
2 votes
1 answer
479 views

It seems command hashing is disabled by default in our tcsh environment, and I'm not permitted to get it enabled across the board. Instead I'm looking to enable command hashing within individual ...
Maikol's user avatar
  • 164
1 vote
1 answer
209 views

I've noticed that tcsh, regardless of whether "-f" flag is passed on the shebang line, will iterate through $PATH, and try to execute the command from that path until the command is found. ...
Maikol's user avatar
  • 164
1 vote
1 answer
679 views

OS is Debian. I have set up auditd to try and determine what is rebooting a system. I have the following rule: -a exit,always -F arch=b64 -S execve -F path=/bin/systemctl -k debug_test Creating a ...
cat pants's user avatar
  • 167
0 votes
1 answer
3k views

I was trying to see what was enabling ipv4 forwarding in file /proc/sys/net/ipv4/ip_forward (I've discovered that this was docker, but I'd still like to understand my auditd issue) So I decided to ...
wabbajack001's user avatar
  • 91
0 votes
0 answers
216 views

I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is ...
ron's user avatar
  • 9,198
0 votes
1 answer
86 views

I have a user with a misspelled username on my CentOS 8 system which I thought I had corrected but I have noticed the username is showing up in the audit log incorrectly. The correct username is: ...
Ewan's user avatar
  • 1
-2 votes
1 answer
223 views

I want to be able to instrument and analyze at a prebuilt server and get a list of every file read. I would also like to determine which of those files were read by the kernel to execute a program, ...
kkron's user avatar
  • 105
1 vote
2 answers
1k views

In shared environment where multiple users have sudo account, I want to find out underlying user id (not a sudo account) details who has invoked particular script. Thanks. I tried below but it does ...
AshwinD's user avatar
  • 11
1 vote
3 answers
1k views

Is there a tool or command where we can see if a file was read and at what time? I would only find for last modified.
kumar's user avatar
  • 221
0 votes
0 answers
677 views

After installing Debian 12 and rsyslog 8.2302 (for TLS remote syslog), I noticed that apparmor logs (or any audit logs) were not being sent remotely. After reviewing the local system, journald DOES ...
user avatar

15 30 50 per page
1
2 3 4 5
12