Red Hat :: Excluding Unlink To A Particular File In Audit.rules?

Apr 11, 2011

I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?

View 1 Replies


ADVERTISEMENT

Red Hat / Fedora :: Excluding Unlink To A Particular File In Audit.rules?

Apr 11, 2011

I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?

View 1 Replies View Related

Security :: Setting Up Several Keys In Audit.rules File?

Mar 16, 2011

I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:

Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.

[code]....

View 8 Replies View Related

Server :: Audit System Is In Immutable Mode - No Rules Loaded

Nov 23, 2010

I have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...

Stopping auditd: [ OK ]
Error deleting rule (Operation not permitted)
Starting auditd: [ OK ]
The audit system is in immutable mode, no rules loaded

A tail of my /var/log/messages shows this...
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/"
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/"
Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262
Nov 23 16:45:18 hostname audispd: af_unix plugin initialized
Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins
Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)

View 4 Replies View Related

Security :: Audit.rules Does Not Retain Certain Settings After Reboot Or Service Restart?

Jan 11, 2011

I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.

View 6 Replies View Related

General :: Hiding A File Using Unlink Command?

Feb 1, 2011

While googling for soft link and hard link i found this part

Code:
{
FILE *fp;
fp = fopen("some.hidden.file","w");
unlink("some.hidden.file"); /* deletes the filename part */
/* some.hidden.file no longer has a filename and is truely hidden */
fprintf(fp,"This data won't be found
"); /* access the data part */

[Code]...

View 9 Replies View Related

Ubuntu :: Can't Create File /etc/udev/rules.d/70-android.rules?

Jun 19, 2011

I need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf

View 2 Replies View Related

General :: Zip All The Files Excluding Todays File?

Jun 21, 2011

At present in my server the log folder was filled up and causing memory issue. So I am planning to write a script in such a way that the files which are older than 30 days will be deleted and also need to find the files which were not compressed and need to compress this file. Compression will exclude if the file was created on the same day.

View 12 Replies View Related

General :: Find Command \ Search File Excluding The NFS?

Jan 20, 2010

I want to search file excluding the NFS ...find / -mount -name 'filename' restricts the search only in the root disc partition,but the file can be in other partitions alsoIs there any way to exclude the NFS only.

View 2 Replies View Related

OpenSUSE Network :: Audit Original User That Changed File After Su?

Jul 22, 2010

Need to track which users are making changes to production files. I have a small number of administrators with access to su, but need to be able to identify which administrator is making changes to which files after they have su.I have read several post and articles regarding auditd tool, but it is not clear to me whether this tool can generate a log that shows the original user and file being altered.

View 3 Replies View Related

Software :: Unlink Action From Keycode ?

Jun 9, 2010

I am trying to unlink the action triggered by my fn-F5 key, which is a toggle wlan action.

I really don't know were this kind of action is defined, but I want to replace it by another one.

It should happen either by unlinking that action or by overriding.

The key is catched by HAL:

View 4 Replies View Related

Debian :: What Should Be In /rules File For Dh_make?

Aug 23, 2010

I'm trying to build the package "minitunes" [url] but when I attempt the code:

The build exits with the code dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2

This actually happens when I try to build any package with "dh_make" so I'm wondering if it is because of my debian/rules file, which I'm not so certain how to edit.

What should actually be in such a file? I have mine posted below for the minitunes package debian/rules:

View 6 Replies View Related

Ubuntu :: Add A File To /lib/udev/rules?

Sep 28, 2010

I tried searching for an explanation on howto add a file but couldn't find anything.

View 5 Replies View Related

General :: Unlink Com Port And REDHAT Installation Files?

Jun 1, 2011

I tried to link USB to com port. Mistakenly I managed to link to one USB several ports. How can I unlink them in order to have only one linked? This is how it looks like!

lrwxrwxrwx. 12 May 26 16:26 com03 -> /dev/ttyUSB0
lrwxrwxrwx. 12 May 26 16:17 com10 -> /dev/ttyUSB0
lrwxrwxrwx. 12 May 26 16:22 com2 -> /dev/ttyUSB0
lrwxrwxrwx. 12 May 26 16:26 com3 -> /dev/ttyUSB0
lrwxrwxrwx. 12 May 26 16:27 com4 -> /dev/ttyUSB0

And second question, I have installation files for Redhat(73, 8, 9). Can I install them to Fedora 14? If yes, could you? please, help me with commands?

View 1 Replies View Related

Debian :: Sed With Bash Variable In Rules File

Jun 6, 2015

How can we do a file replacing string on debian/rules file using sed and bash variable ? I don't seem to be able to do so. I have tried below under the install section with arch dependent amd64, as far as I know all the bash commands are allowed to be executed in debian/rules file.

I have tried this :

Code: Select all
debian/rules file
ipaddr=`<long command to find ipaddr>`
myVar=`hostname`
sed -i -e 's/somestring/'$myVar'/g' $(configs)*
sed -i -e "s/somestring/$myVar/g" $(configs)*

[Code]...

Nothing works. Sed works but the hostname replacement doesn't work.

View 13 Replies View Related

Debian Programming :: Consolidate Several Lines Of CSV File With Firewall Rules

Oct 10, 2013

Consolidate several lines of a CSV file with firewall rules, in order to parse them easier?

I have a .csv file, which I created using an HTML export from a Check Point firewall. The objective is to have all the firewall configuration lines where a given host is present. I have to do this for a few hundred, manually is not a reasonable option. I'm going to write a simple Python script for this.

The problem is that the output from the Check Point firewall is complicated to work with. If a firewall rule works with several source or destination hosts, services or other configurations, instead of having them separated with a symbol other than a comma, I get a new line.

This prevents me from exporting the line where the host is present, since I would be missing info.

Let me show you an example, hostnames are modified, of course:

NO.;NAME;SOURCE;DESTINATION;VPN**;SERVICE;ACTION;TRACK;INSTALL ON;TIME;COMMENT
1;;fwxcluster;mcast_vrrp;;vrrp;accept;Log;fwxcluster;Any;"VRRP;;*Comment suppressed*
;;;;;igmp;;;;;
2;;fwxcluster;fwxcluster;;FireWall;accept;Log;fwxcluster;Any;"Management FWg;*Comment suppressed*
;;fwmgmpe;fwmgmpe;;ssh;;;;;
;;fwmgm;fwmgm;;;;;;;
3;NTP;G_NTP_Clients;cmm_ntpserver_pe01;;ntp;accept;None;fwxcluster;Any;*Comment suppressed*
;;;cmm_ntpserver_pe02;;;;;;;

View 0 Replies View Related

Ubuntu Servers :: Udev Rules To Check If File Exists?

Jun 9, 2011

Is it possible to set up a udev rule that will check if a file exists on a USB drive?

I've got a few ubuntu servers in environments with some very not-techy peoples. Im hoping to get to the point where I can give them a few USB sticks with scripts on them, and if they plus one of these sticks in it will be mounted in, say, /media/special (rather than /media/usb0..7) and then the script would be run. But if a usb drive without special.sh is inserted, it should be mounted to /media/usb0..7 as normal.

I've been googeling for udev rules, and it seems simple enough to specify a mount point based on brand/model/serialnumber/etc... but i havent been able to find anything about checking for the existance of a file.

Tho the more i think about it, the more im starting to think its not going to be that straight forward. Can udev check for a file on a drive before that drive is mounted? Is it going to be a case of mounting every drive to /media/usb0..7 then having a script run that will check for the file, and if its there change the mount point before running special.sh?

View 1 Replies View Related

Debian Programming :: HTML Export - Consolidate Several Lines Of CSV File With Firewall Rules

Oct 11, 2013

I have a CSV file, which I created using an HTML export from a Check Point firewall policy. Each rule is represented as several lines, in some cases. That occurs when a rule has several address sources, destinations or services.

I need the output to have each rule described in only one line. It's easy to distinguish when each rule begins. In the first column, there's the rule ID, which is a number.

Here's an example. In green are marked the strings that should be moved:

See example. The strings that should be moved are in bold:

NO.;NAME;SOURCE;DESTINATION;SERVICE;ACTION;
1;;fwgcluster;mcast_vrrp;vrrp;accept;
;;;;igmp;;
2;Testing;fwgcluster;fwgcluster;FireWall;accept;
;;fwmgmpe;fwmgmpe;ssh;;
;;fwmgm;fwmgm;;;

What I need ,explained in pseudo code, is this:

Read the first column of the next line. If there's a number:

Evaluate the first column of the next line. If there's no number there, concatenate (separating with a comma) the strings in the columns of this line with the last one and eliminate the text in the current one

The output should be something like this. The strings in bold are the ones that were moved:

NO.;NAME;SOURCE;DESTINATION;SERVICE;ACTION;
1;;fwgcluster;mcast_vrrp;vrrp-igmp;accept;
;;;;;;
2;Testing;fwgcluster-fwmgmpe-fwmgm;fwgcluster-fwmgmpe-fwmgm;FireWall-ssh;accept;
;;;;;;

The empty lines are there only to be more clear, I don't actually need them.

View 1 Replies View Related

Red Hat / Fedora :: Edit /etc/sysconfig/iptables And Create/delete Rules Inside That File?

Sep 9, 2010

can i actually edit /etc/sysconfig/iptables and create/delete rules inside that file?will it work? i just find using the IPTABLES -A or -D command a hassle

View 3 Replies View Related

Ubuntu Security :: Snort Not Starting - ERROR: "/etc/snort/rules/exploit.rules(264) => 'fast_pattern' Does Not Take An Argument"

May 12, 2011

I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode

[Code]...

View 2 Replies View Related

Programming :: Excluding Files From Find?

Oct 22, 2010

I have spent the last hour searching for a solution to this, but I can't get it to work. Here is what I am trying to do:

I have directories for different months in one folder. So for example Code: ../folder/Jan/
../folder/Aug/
etc. Some of the folders have a dot in front of the month as so: Code: ../folder/.Sep/
../folder/.Oct/

[Code].....

I am trying to find all the csv files EXCEPT those in a folder that has a dot. For example I want all the csv files in ../folder/Jan/ but I want none in ../folder/.Oct/.

I also want to exclude all the files in the /Aug/ folder that represent days 10-31.

Here is what I have so far: Code: find /some_path/folder/ ( ! -name "Aug[10-31]*.csv" ! -path "/.*/" -name "*.csv" ) | more This command lists all the .csv files except those in the /Aug/ files. So it just ignores the /Aug/ folder completely but lists every other .csv file.

View 3 Replies View Related

General :: Excluding Directories With Find?

Jun 10, 2011

I am trying to exclude 2 directories with find and pass it into cpio. I have tried

Code:
find . -depth -path '.evolution' -prune -o -path '.gconf' -prune -o -print|cpio -aov > /media/caca/full$date
./.gconf/apps/evolution/memos/%gconf.xml
./.gconf/apps/evolution/memos

[Code]....

View 4 Replies View Related

Software :: Zip - Excluding Whole Directory Path ?

Sep 12, 2010

I'm trying to compress with zip for linux utility a file

Is need to be done (example):

But I would like that in the zip file there is only one file: source.file instead the whole directory path /usr, /src,... and the file.

I can't move up to the directory /usr/src/ to execute the command.

I must do this from / directory.

If this possible? I Windows systems even if I do the zip C:directory1directory2source.zip C:directory1directory2source.file, it does what I need: a Zip in directory2 with just the file source.file.

I've been looking up the man page for zip, but did not find anything useful, tried, -j, -D with no success.

View 1 Replies View Related

Red Hat :: Generate Audit Log Every 6 Months

Mar 8, 2011

I'd like to know how do I rotate the audit logs under "/var/log/audit/audit.log" every 6 month. Currently I have set the parameter inside /etc/audit/auditd.conf to "KEEP_LOGS" (Previously "ROTATE" )and logs files are generated up to the size 5M and never deleted. Do I need to change inside "/etc/audit/audit.rules" file?

[root@RHEL5 ~]# more /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log

[Code].....

View 4 Replies View Related

OpenSUSE Network :: Nfs And /etc/exports - Excluding Certain Subdirectories

Jun 30, 2011

I have a nfs share on my 11.4 workstation at /abcd. I'd like to export everything under /abcd except for one directory /abcd/dontexport

I searched online for such an option but only came across noaccess option which doesn't seem to work.

exportfs says it is an unrecognized option if I run "exportfs -ra"

This is how my /etc/exports looks like:

Code:
/abcd*(rw,wdelay,root_squash,no_subtree_check,anonuid=12345,anongid=6789)

View 2 Replies View Related

Ubuntu :: Cat/grep, Excluding Phrase From Result?

Feb 2, 2010

I would like to take a file looking like...

uid=user1,ou=People,dc=company,dc=com
uid=user2,ou=People,dc=company,dc=com
uid=user3,ou=People,dc=company,dc=com

[Code]...

View 5 Replies View Related

Ubuntu :: Compression Excluding Certain Ascii Characters?

Jun 8, 2011

I am working on a project where I am dialing out of a modem!! Old stuff, ya, but the modem allows my device send info from remote sites from my datibase through a phone line so that this IT departments dont have to worry my device being a security issue on their networks.

Any way, the modem I'm using isn't incredibly well designed, and when a certain ascii char is read by the modem, it reads it as an EOF indicator. It is also important that the files I send are compressed.

My question is: Does anyone know of a compression format that allows ME to dissallow IT's use of certain ascii chars?

just as an illustration:

Device --------> Modem ---------> Off-site

and the Modem stops talking to the device when a certain char is passed to it.

View 1 Replies View Related

General :: Excluding Executables In A Sub-directory From Tar Backups?

Jul 29, 2010

Just trying to set up a new backup using tar, but there are a few things I dont want to include. Using --exclude I can exclude sub-directories, but how do I exclude specific files in a subdirectory that are (for instance) executables or have a specific extension?

View 5 Replies View Related

General :: Excluding Multiple Patterns From Grep?

Dec 13, 2010

I have to write a script which would search the IP adesseses in a given directory.

Below is my command.

Code:

grep -HwrnI --exclude=*.log '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' *|grep -v '/.svn/'

I have to exclude the following from search resluts.

1. Comments

a. Can be starting with /, * or #...

b. Cane be between a line

EX: some text... #comment1

View 9 Replies View Related

Networking :: IPTables NAT - Excluding Subnets For IPSec VPN

Feb 27, 2011

I have a Ubuntu 10.10 box which i've developed an IPTables Firewall script and is forwarding my ports correctly. This service also runs Openswan VPN Server with 2 VPN's, which is also working well.

I have come across a small snag with excluding the multiple VPN subnets I have from the NAT on this box.

I have the line in my configuration file:

-A POSTROUTING -o eth1 -s 10.172.1.0/24 -d ! 192.168.5.0/24 -j MASQUERADE

Which when added to IPTables does make the VPN come to life. But I can't seem to get it to add the second subnet. Unfortunately, I can't do a blanket exclusion such as 192.168.0.0/16 because the second VPN is on a Class B subnet address which I cannot change.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved