Skip to main content
Unix & Linux

Questions tagged [linux-audit]

Ask Question

Content related to the Linux Audit standard which is the most popular auditing tool used in GNU/Linux distributions.

118 questions
Newest Active Bountied Unanswered
1 vote
0 answers
16 views

Goal is to use Linux's auditd to capture file copies from a folder after which a usb disk is auto mounted to, in RHEL-8.10. Normally the usb disk is not mounted; I want to hot plug in the usb disk in ...
ron's user avatar
  • 9,198
0 votes
0 answers
105 views

The auditd system on an Oracle 8.10 linux system is configured to start the audisp-syslog plugin to send audit events to syslog (rsyslog in this case) for onward processing. The following is the ...
JohnM's user avatar
  • 1
0 votes
0 answers
145 views

For RHEL-8.10 in /etc/auditd/rules.d/audit.rules I would like to exclude /home/*/.cache/mozilla. The system has 100+ users in /etc/passwd so I do not want to do 100+ audit rule lines with a -a exit,...
ron's user avatar
  • 9,198
0 votes
0 answers
108 views

Problem: I'm facing an issue where SELinux is blocking certain actions of my application, which runs as a plugin for auditd. I've been trying to generate the necessary SELinux policy using audit2allow,...
RSVN's user avatar
  • 1
2 votes
1 answer
269 views

While looking at the traffic on Wireshark, I noticed my computer was sending a UDP packet every three seconds on the broadcast address to the port 8765, with the content "*" (42 in ASCII). ...
Hugal31's user avatar
  • 225
0 votes
0 answers
387 views

EDIT This may be the result of an issue with the Arch package. I am learning to use the linux audit system. Right now I have several rulesets in the /etc/audit/rules.d directory. When I run ...
Ben Little's user avatar
  • 21
0 votes
0 answers
192 views

Im trying to monitor the start and stop of processes on a server with auditd, using the following rule -w /usr/bin/ -p x -k T1569.002 However, when raising an event to generate the log and searching ...
David Pérez's user avatar
  • 1
3 votes
1 answer
948 views

I have a script executed by a Java app with testmod_t context. This script does chage -M -1 user to set a user to no expiry. However, when SELinux is enforcing, the command does not seem to do ...
neffect's user avatar
  • 31
1 vote
1 answer
334 views

I have Amazon Linux 2023 running in a Docker container and I would like to be able to load some custom audit rules into the kernel and ensure they are persisted when the container restarts. I have ...
word4q's user avatar
  • 13
0 votes
1 answer
301 views

OS sles 15, audit service enabled When I issue any command (for example, date or ls), I expect it to be logged in audit.log, something like this: type=SYSCALL msg=audit... type=EXECVE msg=audit(...
ibse's user avatar
  • 371
4 votes
1 answer
597 views

SELinux does not allow auditd to start the process (named myplagin) and does not log the reason in the /var/log/audit/audit.log. The only mention of the denial I found in the /var/log/messages: ...
ibse's user avatar
  • 371
0 votes
1 answer
560 views

I have a RHEL server in which I have configured an audit rule to log a specific event. I wanted to forward those logs to a remote syslog server. I couldn't find a way to forward those specific logs so ...
Prateek Bansal's user avatar
  • 19
0 votes
0 answers
216 views

I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is ...
ron's user avatar
  • 9,198
2 votes
0 answers
153 views

I have the following log messages from auditd. They appear to log calls to socket. type=SYSCALL msg=audit(05/11/2023 23:19:52.913:2533) : arch=x86_64 syscall=socket success=yes exit=9 a0=inet a1=...
Joel Olsteen's user avatar
  • 21
1 vote
1 answer
655 views

I want to monitor access to a file using audit, and hence added the following rule -w /home/test.txt -k monitoring-test I reloaded the rules (sudo service auditd restart) and modified the file /home/...
black's user avatar
  • 113

15 30 50 per page
1
2 3 4 5
8