Debian Configuration :: Unable To Create Stat Exclude Rule For Auditd
Apr 25, 2016
I'm trying to configure auditd to monitor "strange" events with apache2 weberver on Wheezy (though same problem occurs on Jessie), tried both with "vanilla" 3.2 and backports 3.16 kernel I am actually using.
Here's auditd rules I have problem with:
Code: Select all-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
So to recap, I want to log stat syscall failures for www-data user, but excluding some "known" issues, such as that "/var/www/server-status" (after a2enmod status, /server-status path can be accessed for statistics, though apache2 still tries to find physical file for that path and fails).
But the problem is.. excluding does not work.
Here's "auditctl -l" output:
Code: Select all# auditctl -l
LIST_RULES: exit,never arch=3221225534 (0xc000003e) watch=/var/www/server-status key=web syscall=stat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) uid=33 (0x21) success=0 key=web syscall=stat
But when I execute:
Code: Select all# wget -O - http://localhost/server-status
audit.log appears:
Code: Select alltype=SYSCALL msg=audit(1461591557.077:365): arch=c000003e syscall=4 success=no exit=-2 a0=7f1bedab9358 a1=7ffef316ac20 a2=7ffef316ac20 a3=7f1bedab91f8 items=1 ppid=2398 pid=2451 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" key="web"
type=CWD msg=audit(1461591557.077:365): cwd="/"
type=PATH msg=audit(1461591557.077:365): item=0 name="/var/www/server-status" nametype=UNKNOWN
type=UNKNOWN[1327] msg=audit(1461591557.077:365): proctitle=2F7573722F7362696E2F61706163686532002D6B007374617274
So, syscall=4 (stat) is still captured. Looks like "path" is known for auditd, but not excluded.
I've tried various rule combinations, for example simpler, more generic one:
Code: Select all-a exit,never -F path=/var/www/server-status
But it's the same.
Sadly man audit.rules and man auditctl does not have "exit,never" examples, only some (sometimes also similarly unsuccessfull) google results.
Could it be that Debian kernel does not support some audit features?
View 1 Replies
ADVERTISEMENT
May 24, 2011
I have successfully created an iso of my current running system using live build with the --bootstrap copy option..As expected, the image is gigantic. I would like to be able to use live-build to create copy-of-host iso's, but with specific options to -exclude specific pathways (ie. music folders, picture folders etc). Is there a way to do this? I did run a configuration and build using an option similar to that found in tar (something like -exclude=/home/user/music) and it ran through without any apparent errors, however, there was not any iso image to be found.
View 2 Replies
View Related
Nov 16, 2010
firewall server which runs on Debian and then theres windows 2003fileserver. On this machine runs as well SQL server. Letssay it listens to port 1000. From other windows machines I want to connect to this Sql server which holds library database for users. But the connection cant be made. Possible error that firewall Debian machine want let the packets through.So how to I add a rule into iptabels (what file to open and edit?) So that all localconnections to the server lets say which is 192.168.0.2 and the firefall machine is 192.168.0.1 go through! So the connections allowed would be 192.168.0.3-255. How is it safe to do and how will it look like? Sql server uses TCP/IP connection. Heres what I found from web, I think this may be the right rule, but how i modify it correctly.iptables -A INPUT -p tcp -s 0/0 --sport 1000 -d 192.168.0.2 --dport .........? -m state --state NEW,ESTABLISHED -j ACCEPT
View 1 Replies
View Related
Sep 17, 2015
i'm trying to install driver for some PCI device but i have problems with it - when i run it it gives me an error
Code: Select allmake: Entering directory `/lib/modules/2.6.32-5-686/build'
make: *** No rule to make target `modules'. Stop.
make: Leaving directory `/lib/modules/2.6.32-5-686/build'
i've tried to find solution in internets but have no success usually they say that problem is that ppl forget to download kernel-headers and kernel-sources or unpack kernel-sources or make symlink usr/src/linux but i've done it all and the result is the same.i think the root of problem is that `/lib/modules/ 2.6.32-5-686/build' folder is empty but there have to be this RULE, so what i have to do to have it there? my system is Debian 6.0.10 Squeeze, Kernel 2.6.32-5-686.
View 2 Replies
View Related
Apr 19, 2011
I have a trayless SATA hotswap bay that is really terrific for quickly attaching and removing SATA hard drives. I'm trying to write a udev rule to create a symbolic link to the device node for the drive that is attached through the hotswap bay (/dev/bay -> /dev/sdX). This eliminates any ambiguity when performing destructive tasks (fdisk, etc). I'm running squeeze amd64. I've read through several tutorials and have it working somewhat. Here's the output of udevadm info for a drive attached via the hotswap bay.
looking at device '/devices/pci0000:00/0000:00:11.0/host7/target7:0:0/7:0:0:0/block/sdb':
KERNEL=="sdb"
SUBSYSTEM=="block"
DRIVER==""
ATTR{range}=="16"
ATTR{ext_range}=="256"
ATTR{removable}=="0"
ATTR{ro}=="0"
ATTR{size}=="156301488"
ATTR{alignment_offset}=="0"
ATTR{capability}=="52" ....
Here is my udev rule
DEVPATH=="/devices/pci0000:00/0000:00:11.0/host7/*", SUBSYSTEM=="block", SYMLINK+="bay%n"
This produces the desired behavior and gives me an fdisk-able device node. The problem I am having is that the "host" component of the DEVPATH varies from bootup to bootup. I'm just using on onboard SATA, host2-7, specifically host7. There is also onboard PATA, host0-1. It seems to just be random which "host"s are assigned to which controller. For example, the next time I boot the system, the onboard SATA will be host0-5 and the onboard PATA will be host6-7. In this simple case, I could just write 2 rules, one for each possibility and it would still be correct because of the different PCI addresses of the two controllers. But on systems with more SCSI (uh... libata, actually) controllers, a "host" file can point to different physical ports between bootstraps. This would be bad. Does anyone know of a way to write a rule to tie a device node to a specific physical SATA port on the motherboard/hba?
View 1 Replies
View Related
Jul 20, 2011
i have a HP MSA 2312fc SAN with 2 LUNs configured. The first LUN (LUN ID 1) is correctly connected to the system, but when i connect the second LUN (LUN ID 30), i find in the syslog this message: multipathd: 8:64: size 6835937472, expected 5267578112. Discard
Here is the multipath.conf
[Code]....
So I correctly see the two luns, but multipath doesn't create the relative devices. Under /dev/mapper I see: control mpath0 mpath0-part1 mpath0-part1 is the first lun, the one I mounted in a directory under filesystem. I can't find the device for the second lun
View 1 Replies
View Related
Sep 1, 2011
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Apr 20, 2010
Do I have to create a rule for:
Code:
$IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix
to drop rather than log if my table has a default policy of drop with :
Code:
$IPT -t fwalert -P DROP
View 3 Replies
View Related
May 6, 2010
I have done a completely fresh install of Ubuntu 10.04. As soon as I installed it and checked for updates there were a few, but I got an error for the package linux-libc-dev.
I should make it known that since I got this error about 2 days ago, there have been several more updates issued for other packages, but I still get the same error for this package. Everything else installs fine and currently linux-libc-dev is the only package in my list. When I try to install it via the update manager I get a popup window with the following error message:
Quote:
E: /var/cache/apt/archives/linux-libc-dev_2.6.32-22.33_i386.deb: unable to stat `./usr/include/asm-generic/mman.h' (which I was about to install)
To get more information I also ran it from the terminal:
sudo apt-get update
sudo apt-get upgrade
Quote:
(Reading database ... 147293 files and directories currently installed.)
Preparing to replace linux-libc-dev 2.6.32-21.32 (using .../linux-libc-dev_2.6.32-22.33_i386.deb) ...
Unpacking replacement linux-libc-dev ...
[code]....
This package provides headers from the Linux kernel.These headers are used by the installed headers for GNU glibc and other system libraries. They are NOT meant to be used to build third-party modules for your kernel. Use linux-headers-* packages for that.
View 2 Replies
View Related
Feb 23, 2010
I'm not an iptables expert. Anybody know how to create a rule/chain that will log info similar to what tcpdump -s0 would do?
View 3 Replies
View Related
Jul 1, 2011
I've installed Ubuntu 11.04 on a desktop and am trying to install ndiswrapper. I don't have a wired connection to the router, but I have managed to use ndiswrapper successfully on other Linux live distributions which already had them installed (eg, Linux Mint 9). By inserting the Ubuntu 11.04 Live Cd and adding the cdrom in Synaptic's "Settings > Repositories" menu, I can find it in the list of packages, but when I try to install ndiswrapper-utils-1.9 and ndiswrapper-common I get a few error messages. First, a notice pops up saying: "Some of the packages could not be retrieved from the server(s). Do you want to continue, ignoring these packages?". I guessed this is due to lack of an internet connection, so I selected "yes" and got an error box that reads:
"E: Internal Error, No file name for ndiswrapper-utils-1.9 W: Failed to fetch cdrom:[Ubuntu 11.04_Natty Narwhal_-Release i386 (20110427.1)]/pool/main/n/ndiswrapper/ndiswrapper-utils-1.9_1.56+r2729-1_i386.deb
Unable to stat the mount point /media/Ubuntu4011.0440i386/ - stat (2: No such file or directory)"
This system has two hard drives and a cdrom drive. I've error checked the Live cd, and it came up clean. Please, can someone give me a hand getting Ubuntu to mount the cd? PS: I've downloaded the ndiswrapper files from sourceforge onto a thumbstick (version 1.56). Is there a way I can install them from the stick?
View 1 Replies
View Related
Jan 24, 2010
I have a netbook (MSI Wind U100 rebrand) that has one of those card readers built into the handrest. The thing is I've never used it once, and it keeps popping up in powertop as waking the cpu when it should just shut up and be quiet.Aside from breaking open the case and tearing it out, the immediate solution is to browse to /sys/bus/usb/devices/usb1/1-6/ and pipe 1 to the file remove. That disables it until system reboot or resume, at which point I have to do it all over again.
Code:
$ echo 1 | sudo tee /sys/bus/usb/devices/usb1/1-6/remove
Now I'd like to create an udev rule to make it not get initialized at all. A quick Google search found me this article on creating udev rules, and after toying about with the udevadm tool I managed to produce the attributes/properties of the device.
Code:
zorael@lethe:/sys/bus/usb/devices/usb1/1-6$ udevadm info -a -p $(pwd)
Udevadm info starts with the device specified by the devpath and then walks up the chain of parent devices. It prints for every device found, all possible attributes in the udev rules key format. A rule to match, can be composed by the attributes of the device and the attributes from one single parent device.
looking at device '/bus/usb/devices/usb1/1-6':
KERNEL=="1-6"
SUBSYSTEM=="usb"
DRIVER=="usb"
ATTR{configuration}=="CARD READER
[code].....
View 2 Replies
View Related
Apr 29, 2010
Looking for some help to fix 2 problems I have in my script. (I�m using bash on cygwin)I have the following source file ($7 does not have data):
Code:
HEADER_1,HEADER_2,HEADER_3,HEADER_4,HEADER_5,HEADER_6,HEADER_7
pattern2,pattern7/Sub data1/Sub data2,pattern8,pattern9,pattern2,pattern2,
pattern3,pattern6/Sub data1/Sub data2,pattern7,pattern3,pattern5,pattern1,
[code]....
In line 5 of the script, that is " {$2 !~ /pattern4|pattern5|pattern6/ }" oriented to delete lines containing pattern4, pattern5 and pattern6 from column 2 it seems not to be working. If I see the output, the line highlighted in red, is present and should not appear, because this line does not contain nor HEADER nor pattern1 nor pattern2.
View 7 Replies
View Related
Jul 16, 2010
Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?
2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?
3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?
4. Any gotchas or issues that I should be aware of?
View 9 Replies
View Related
Nov 4, 2010
Alright, I was playing with the VPN capabilities in KDE4 on Squeeze AMD64 on my personal laptop (see my signature) and found it very easy to create a VPN connection and connect, but that's it. I made a VPN tunnel to one of my client locations as a test, but could use rdesktop to get into the server. Then I realized I couldn't ping the server either. I also lost all ability to browse the web and everything while the VPN was up. Upon checking ifconfig as root, I saw that it created "ppp0" and hat it had pulled an IP from the client network, but all of my networking capabilities were gone. What gives? What is it that I am missing?
View 4 Replies
View Related
May 10, 2011
I have met a Bug in the debian squeeze with the kernel 2.6.32-5-xen-amd64 and Xen 4.0.1 I have try with two differents environment, but i have the same result. I haven't this bug when i use just the kernel 2.6.32-5-xen-amd64 without the hypervisor Xen 4.0.1 and on the debian lenny with the kernel 2.6.26-2-xen-amd64 + Xen 3.2.1. When i run a script who create a snapshot of a LV, i have this Bug error: Just after the "lvcreate -s -n Snap -L 1G /dev/data/svsqueeze" in the script
[Code]...
View 1 Replies
View Related
Oct 26, 2015
I have been following the Xen Beginners Guide here: [URL] .....
Everything was going smoothly until I got to the 'Configuring xen-tools and building our guest' section (two thirds down the page).
I installed xen-tools and then typed the following in a terminal window (as root):
xen-create-image --hostname=development-pv-guest --memory=2048mb --vcpus=2 --lvm=develop --dhcp --pygrub --dist=jessie
I admit PV is new to me, compared to simple HVM, so I have a number of questions:
1. Why the command not found error?
2. Should I be booting from the Xen option or regular boot option at the start up screen when creating the xen image? I've tried both and get the same error message.
3. I have Debian 8 (Jessie) installed on my system and I wasn't sure whether I should therefore make this the guest OS in my Xen PV. In asking this question I'm thinking in terms of HVMs - but I assume my Xen PV needs a guest OS of some kind? Or is my host Debian 8 already acting as a guest OS in Xen PV? I'm confused
4. If I do need to install a guest OS, is it better to go for an earlier version of debian - so as not to be so resource hungry?
I'm nervous about screwing up my host debian installation, so when I got the error message, did some research but found nothing meaningful. I don't want to end up having to reinstall my Debian 8 (base OS) ... again!
View 8 Replies
View Related
Jan 27, 2010
I am trying to create a LiveCD with the option of installation.So far, so good.Live and installation works well.Now I want to automate the installation. The problem is that when I run the install from the ISO, he said he did not could find the preseed file.In looking around, it seems that we should add this file in initrd But, I do not see how.I searched a few hours on the net in vain.
View 1 Replies
View Related
Feb 10, 2011
create lenny usb-hdd live and would like to have ext2 on the usb stick.I changed in config/binary to ext2:LH_BINARY_FILESYSTEM="ext2"but get this problem:# lh_clean # lh_build W: You have selected values of LH_BOOTLOADER and LH_BINARY_FILESYSTEM which are incompatible - syslinux only supports FAT filesystems.
P: Setting up cleanup function
View 7 Replies
View Related
Jun 1, 2011
On Debian Etch I used to understand how to change boot kernel parameters with Grub. You could just edit menu.lst.
With the newer Grub in Squeeze I am without a clue! I want to set up a ramdisk, say 128 Megs in size, and add that to my boot parameters so that it is created every time the machine starts. Do I set something in /etc/default/grub ?
View 3 Replies
View Related
Jun 20, 2011
My Postfix cannot currently create any folders other than inbox. Even when I send an e-mail I receive an error along the lines of, "Could not create sendmail folder." Also, my Postfix isn't receiving e-mails, and can only send e-mails to other accounts on the server. I called my ISP and they told me my port 25 isn't blocked, and it is forwarded on my router so I am not sure what could be wrong. I am using zoneedit as my name server and I am pretty sure my MX record is good.
View 14 Replies
View Related
Aug 24, 2010
I am trying to create an encrypted file and later mount it as a filesystem.
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-cbc > container.key
dd if=/dev/urandom of=~/container.img bs=1G count=10
losetup /dev/loop0 ~/container.img
[code]....
The luksOpen command asks me for my passphrase, but always rejects it. I have retried this several times and written down the passphrase - and even tried with a very simple one just to check. And I never can make it work.
View 2 Replies
View Related
Sep 10, 2010
I am new to debian and recently I have been working with a debian server. I have been asked to find out how to create a script that you can run or can be run by another program to format and mount a new hard disk?
View 3 Replies
View Related
Feb 3, 2010
i have created on folder in my server to upload some regular states. I want that user can modify or upload already stored files. but, should not upload any unwanted files orfolders.for that i want to use "rm" command as auto scheduler (putting this in cron tab.so that all files will be removed except some required files / folders for which this upload facility is activated. users are using secure-shell for uploading data.
View 1 Replies
View Related
Jul 2, 2011
When I right click on a free area of the desktop or within an open folder, I read "Create Document" -> "no templates installed" and "Empty File". How to install the templates in there so I could open a file of my choice?
View 3 Replies
View Related
Nov 23, 2010
I have an old scanner script that uses pamthreshold to create a small greyscale image of a text document. This program does not seem to be available in debian. Can anyone tell me how I can install it, or if there are any better alternatives available?
View 1 Replies
View Related
Mar 25, 2010
I have a customized XP installation disk created for my company. However, my office does not require several of the applications that are installed by default. Also, some configuration settings are incorrect. I have extracted the XP installation files and can perform an install using those files from a running system, but I cannot boot from the CD.
I have tried just about every suggestion I can find on the net except purchasing a third-party burning application to do this. I tried burning both CDs and DVDs using floppy boot images, but XP will not install in a "DOS environment". I've also tried ripping the boot sector directly from a bootable CD/DVD and using that without success. Finally, I ripped ISO images and tried ripping the boot sector from those, also without success. I've also tried various file system type settings in K3b, including Joliet, Linux/Windows, UDF, and DOS compatible, all without success. Surely there must be a way to do this?
PS--I tried posting this to the K3b mailing list first but was rejected, even after creating an account with Sourceforge!? Didn't want to have to submit a support request just to submit a support request.
View 3 Replies
View Related
Feb 19, 2009
I have created a user account on a ubuntu workstation. I log into the terminal as this new user and when i try to create a file i get that permission is denied. I would like to create a file such that this new user and other members of a group can access it.
View 4 Replies
View Related
Apr 6, 2010
I have an unallocated space at the end of my hdd, which is about 10 gb. I installed Pardus on that space, but then deleted the partition to install something else (I know I did not have to delete it, I could simply install the new thing over it), i dont remember exactly how, but it was from my Debian System, not from a LiveCD.Now, I am unable to use that space. GParted gives an error and says:Warning: the kernel failed to re-read the partition tableon /dev/sda (Device or resource nusy). As a result, it may not reflect all of your changes until after reboot.
View 4 Replies
View Related
Sep 6, 2015
I was thinking of migrating my apt-mirror repository to the recommended ftp scrips: [URL] .....
I pre populated my pool with already downloaded files, and setup the scripts.
However, if I run the bin/ftpsync, and monitor rsync with lsof -p, I can see that it is still downloading files from oldstable (wheezy) despite exclude options.
I'm guessing it's a configuration error, but I can't seem to figure it out. Any thoughts? My etc/ftpsync.conf is as follows:
Code: Select allMIRRORNAME=`hostname -f`
TO="/server_storage/srv/mirrors/debian"
RSYNC_PATH="debian"
RSYNC_HOST=ftp.us.debian.org
LOGDIR="${BASEDIR}/log"
[Code] ....
Actually, I don't think it works like I thought it did. A few guides I found listed the exclude options, but the sample config file has this:
Code: Select all## If you do want to exclude files from the mirror run, put --exclude statements here.
## See rsync(1) for the exact syntax, these are passed to rsync as written here.
## DO NOT TRY TO EXCLUDE ARCHITECTURES OR SUITES WITH THIS, IT WILL NOT WORK!
#EXCLUDE=""
So it looks like it doesn't exclude the suites at all.
View 5 Replies
View Related
