Red Hat :: Generate Audit Log Every 6 Months
Mar 8, 2011
I'd like to know how do I rotate the audit logs under "/var/log/audit/audit.log" every 6 month. Currently I have set the parameter inside /etc/audit/auditd.conf to "KEEP_LOGS" (Previously "ROTATE" )and logs files are generated up to the size 5M and never deleted. Do I need to change inside "/etc/audit/audit.rules" file?
[root@RHEL5 ~]# more /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
[Code].....
View 4 Replies
ADVERTISEMENT
Feb 15, 2010
tell me how good Ashgar gori (RHCE) book is for RHCE i have to take up the exam in another 4-5 months.
View 6 Replies
View Related
Apr 30, 2010
I am trying to run the following only once every three months but looks like it runs every day. I edited crontab -e and added the following:
Code:
0 23 * jul,oct,jan,apr * /path/to/script > /var/log/script.log 2>&1
View 2 Replies
View Related
Feb 22, 2010
I am getting little bit difficult in sorting the date ranges which are in a field like:
How make a sort as per the Month and date , i mean result should be as per the month and date wise. If i go for the sort -M , i am not able to get the list as per date of the particular month.
View 4 Replies
View Related
Sep 5, 2010
I just recently switched from Windows to Ubuntu 10.04, and I remember that Windows had a disk check. I have no problems with my computer, but is it a good idea to run fsck every few months? Does Ubuntu automatically do this for me? Or this unnecessary unless I have a serious problem?
View 2 Replies
View Related
Jun 5, 2011
Yesterday I tried to connect using my 3G, it has been working since I installed the computer more than a year ago.
When I try to connect I get the following in the syslog (and daemon.log)
Code:
Jun 5 10:50:21 ubuntu NetworkManager: <info> Activation (ttyUSB0) starting connection '3 Bredband'
Jun 5 10:50:21 ubuntu NetworkManager: <info> (ttyUSB0): device state change: 3 -> 4 (reason 0)
Jun 5 10:50:21 ubuntu NetworkManager: <info> Activation (ttyUSB0) Stage 1 of 5 (Device Prepare) scheduled...
[Code]....
After alot of swearing ang scratching of the head I've resorted to trying this from i live cd, but with the same results. I know I've been able to connect using livecd before so I'm a bit worried that something might have happened with the hardware.
What I'm hoping for though is some way to determine that it is the sim-card and/or something on the operator side that is bork.
how to further pinpoint the issue? And/or troubleshoot the hardware? I should be able to send AT-commands directly to the modem, does anyone know how and/or the syntax for establishing the data connection?
EDIT: I'm using an Asus eee 901 with builtin 3G modem.
View 3 Replies
View Related
Dec 25, 2010
it seems Ubuntu can't just BURN CD or DVD. I've used Brasero, GnomeBaker, K3B - They all miserably FAIL.
Plus, they Break My DVD Drives, after trying sooo Many Times, leaves it behind useless.
I bought 3 DVD Drives: Lite-On, Sony and LG. In a span of 3 Months, UBUNTU completely DESTROYED all of them.
I'm not sure why. BUT first, I find Ubuntu can't burn using above Applications. 2nd, DVD stops working.
Error message from K3B, using it, since it's the most stable I've found. cdrdao crashed, file permissions problems, perhaps TAO will fix this, and a lot more of these crap.
View 6 Replies
View Related
Mar 22, 2011
I have an intel HDA chipset that desperately wants to work. I have it plugged into my receiver and sound only occassionally works. I say occassionally because I will hear some sound, then my receiver will flash hdmi, as if it is switching to the new stream, I hear silence. Then shortly later, the receiver will provide sound, then again it will 'switch' and i hear silence. To work around this, I had an optical line working and somehow had alsa using ONLY that for the audio (bypassing the HDMI completely). Then one day when I was trying to the audio fixed for some specific application, I broke it! I cannot figure for the life of me how to make alsa ONLY use my optical line. Of course any suggestions on how to get the hdmi to work is even better.
View 5 Replies
View Related
Dec 30, 2010
Does anyone know how I might enable my boot to Ubuntu again? Here is what I have found but do not know what I should fool with. I thought I would ask for help before I screw it up worse.I have Ubuntu 10.04.1 installed inside W7 effectivly creating a dual boot system. It's been running fine for about 2 months. Now when I try to boot into Ubuntu by selecting the boot Ubuntu option in the Windows Boot Manager, it fails and goes back to Windows Boot Manager. There are 2 screens that flash by in about 1/2 a second when enter is pressed after the ubuntu selection and before it reverts again to the Boot Manager. With the help of a camera and good timing, I captured a picture of the text displayed.
The first screen displays;Try (hd0, 0) NTFS5 No wubildrTry (hd0, 1) NTFS5 _The second screen displays;error unknown command loadfonterror file not foundIn the windows C: drive I find the 2 files; C:wubildr created 12/19/10 size 87kbC:wubildr.mbr created 11/7/10 size 8kb (created the date I installed Ubuntu)In C:ubuntuwinboot... I find the same two files with the same size and creation dates as in the windows c: drive. In addition I also find a file, C:ubuntuwinboot.wubuildr.cfg, created 11/7/10, size 2kb, described as a MS Office Outlook configuration file.There are also a files;C:ubuntudisks�ootgrub but the grub directory is empty. The grub directory was created 11/7/10. Should there be a file in the grub directory?
View 2 Replies
View Related
May 13, 2011
OS: Ubuntu Server x64 10.04 Apache: 2.2.14-5ubuntu8.4 I have a virtual server which has been running for months with no problems then one day I saw that it crashed and I had to power cycle it. Since then I have been unable to start Apache as it segfaults no matter options I give it. Before I try to reinstall Apache, why is this segfaulting?
Code:
execve("/usr/sbin/apache2", ["/usr/sbin/apache2"], [/* 21 vars */]) = 0
brk(0) = 0x7f9f48f8d000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f47e0d000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
[Code]...
View 2 Replies
View Related
Feb 16, 2010
I am trying to setup auditing for NISPOM requirements using the built-in linux audit kernel which uses auditd and audit.rules for setup. I have been able to meet all other requirements, but I cannot find a way to audit user logout actions. My audit.rules file is listed below
Code:
#This file contains the a sample audit configuration intended to
# meet the NISPOM Chapter 8 rules.
[code]....
View 3 Replies
View Related
Jan 7, 2011
I would like to log all the commands executed (in full) by all the users or alteast myself.
package lastcomm, doesn't store full command.
View 2 Replies
View Related
Aug 24, 2010
When the audit daemon starts and stops, I see DAEMON_START DAEMON_STOP in the audit log. I don't see a rule in audit.rules about logging this event. So, I'm guessing that it's a rule that's built into the audit daemon. Can you confirm this?Also, I've been looking for a explanation of the event types that the audit daemon logs, such as: USER_AUTH, USER_ACCT, CRED_ACQ. If you know of any docs that explain this,
View 2 Replies
View Related
Jul 21, 2010
The default installation of 11.3 has ipv6 enabled.When accessing a site using any browser, there was a considerable delay before the page would appear.I disabled ipv6 and things are normal.Is my computer going to explode in a couple of months from all the backed up addresses? Seriously, Is there something wrong with my setup?Why would ip6 be enabled by default if it slows things way down?There are just so many things I don't know.
View 6 Replies
View Related
Nov 13, 2010
Running Ubuntu headless server 9.10 with a RAID 1 on ext3. After a power failure (UPS power button was hit accidentally), I logged into the system via ssh and found that I had lost all data since my last reboot, which was 4 months ago. It was as if I had a perfect snapshot of my machine from 4 months ago. Everything, database files, logs, all report as if the machine had been off for 4 months. Fortunately, I have quality backups of all my data so I am able to recover, but I have never had such a problem before and I cannot figure out what happened.
View 4 Replies
View Related
Mar 1, 2011
We have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today.What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We dont want to do anything in users home area or their files.
View 11 Replies
View Related
May 21, 2010
I'm trying to add the -audit option to X Server. I run ps -ef | grep -v grep | grep "bin/X" and get: root 2511 2506 0 10:35 tty7 00:00:09 /usr/bin/X:0 -br -verbose -auth /var/run/dgm/auth-for-gdm-sScn1P/database -nolisten tcp vt7 So I'm thinking that I need to add -audit to the /usr/bin/X file, but I believe that it's binary and created by something else, but I can't find that "something else". How on earth can I add this option? I have opened up 1,000,000,000,000,000,000,000 files (slight exaggeration) and I've come up empty.
View 1 Replies
View Related
Sep 27, 2010
One of our customers is looking at enterprise audit of their data center (primarily consists of Linux servers) We suggested them towards a SNMP based tool that has some limitations. Any other recommendation is welcome...
View 1 Replies
View Related
Jun 7, 2010
Strange :during the configure. I have checked :checking for struct audit_tty_status... no#uname -aLinux lfslc5 2.6.18.8-xenU-64b #1 SMP Tue May 6 18:09:10 CEST 2008 x86_64 x86_64 x86_64 GNU/Linux
View 2 Replies
View Related
Mar 14, 2011
selinux and psacct is disabled in this system (RHEL5.6 2.6.18-194.11.3.el5 SMP x86_64). After performing a yum update, the syslog is flooded with kernel audit messages (related to PAM), even though audit service is turned off. Is there a way to disable this verbosity?
[Code]....
View 2 Replies
View Related
Apr 11, 2011
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies
View Related
Feb 10, 2010
My webcam was working when I installed Fedora12. But now it doesn't work after about 2 months of playing with this OS. Because of this, I decided to reinstall it's driver.I downloaded it from ATrpms website, but if I try to install it the terminal says"/boot/vmlinuz-2.6.31.12-174.2.3_1.cubbi_tuxonice.fc12.x86_64 is needed by uvc-kmdl-2.6.31.12-174.2.3_1.cubbi_tuxonice.fc12-0.20090806-4.fc12.x86_64"File needed: /boot/vmlinuz-2.6.31.12-174.2.3_1.cubbi_tuxonice.fc12.x86_64File wanted to be installed: uvc-kmdl-2.6.31.12-174.2.3_1.cubbi_tuxonice.fc12-0.20090806-4.fc12.x86_64
View 4 Replies
View Related
Mar 27, 2010
I have server running ubuntu. There is folder /var/netflow and I have there files, which creates every 5minutes new ones(monitoring traffic on network). And I need to delete files older than 6 months manually. Can you help?
View 2 Replies
View Related
Mar 4, 2011
We have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today. What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We don't want to do anything in users home area or their files.
View 2 Replies
View Related
Jul 7, 2010
how to audit and delete unwanted rpm packages. how to back up repository list from YaST2.
View 5 Replies
View Related
Apr 11, 2011
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies
View Related
Aug 20, 2010
I ran a test where I filled up the /var partition. The disk_full_action in auditd.conf is SUSPEND. I was expecting to see a message in /var/log/messages to indicate that the audit daemon was suspended because it did not have any space left on the partition.Why didn't I get these messages? Also, how can I tell if the audit daemon is suspended?
View 4 Replies
View Related
May 5, 2011
We have setup a separate partition to keep our audit files, but I am at a loss to figure out how to redirect the log files to be stored there instead of the default.
I am sure it is a simple matter but I have been unable to locate the information.
View 1 Replies
View Related
Mar 16, 2011
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.
[code]....
View 8 Replies
View Related
Jul 20, 2010
I am using fedora 9, with kernel version 2.6.25-14.fc9.i686. I installed rsh-server. My configurations (with firewalls off)were:
1. In /etc/xinetd.d/rsh made "disable = yes" to "disable = no"
2. In /etc/securetty included the lines rsh and rlogin
3. By switching to user 'user1', in /home/user1/.rhosts included ip address of remote machine and issued 'chmod 400 /home/user1/.rhosts'
4. restarted xinetd service
When I issue the following from remote machine rsh <ip address> -l user1 ls it fails saying 'Error sending audit event.' In 'tail -f /var/log/messages' I could see the error dump
socket bind: Invalid argument (errno = 22) Error sending audit event.
View 1 Replies
View Related
