Strange :during the configure. I have checked :checking for struct audit_tty_status... no#uname -aLinux lfslc5 2.6.18.8-xenU-64b #1 SMP Tue May 6 18:09:10 CEST 2008 x86_64 x86_64 x86_64 GNU/Linux
View 2 RepliesWhen the audit daemon starts and stops, I see DAEMON_START DAEMON_STOP in the audit log. I don't see a rule in audit.rules about logging this event. So, I'm guessing that it's a rule that's built into the audit daemon. Can you confirm this?Also, I've been looking for a explanation of the event types that the audit daemon logs, such as: USER_AUTH, USER_ACCT, CRED_ACQ. If you know of any docs that explain this,
View 2 Replies View RelatedI ran a test where I filled up the /var partition. The disk_full_action in auditd.conf is SUSPEND. I was expecting to see a message in /var/log/messages to indicate that the audit daemon was suspended because it did not have any space left on the partition.Why didn't I get these messages? Also, how can I tell if the audit daemon is suspended?
View 4 Replies View RelatedWe have setup a separate partition to keep our audit files, but I am at a loss to figure out how to redirect the log files to be stored there instead of the default.
I am sure it is a simple matter but I have been unable to locate the information.
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.
[code]....
I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.
View 6 Replies View RelatedLinux mirage 2.6.18-128.1.6.el5 #1 SMP Tue Mar 24 12:10:27 EDT 2009 i686 i686 i386 GNU/Linux
I'm trying to compile tinyproxy for two days now on Redhat and can't seem to figure out whats missing here. The make bombs at:
Code: make[3]: Entering directory
GEN tinyproxy.conf.5
a2x: ERROR: xmllint --nonet --noout --valid /backup/builds/tinyproxy-1.8.1/docs/man5/tinyproxy.conf.xml returned non-zero exit status 4
[Code].....
I want to compile the the source code given in a well known unix programming book(stevens) .I downloaded the codes but unable to build it ,giving me an errorerror: stropts.h: No such file or directoryI don't know what to do....I am using fedora 11 latest gcc in the system.
I also try to include the search path which include a file -I./usr/include/xulrunner-sdk-1.9.1/system_wrappers but itI open the header file and the definition is there #include_next<strops.h>so ultimately there is not the original file
What is the need for kernel compilation. Please explain about grsecurity kernel too.
View 2 Replies View RelatedI seem to be missing a secure.log or security.log file. I have Ubuntu 10.04 and can't find this file. I looked in the /var/log and ran a search command to no avail. Does anyone know where this file is or is it called something else. I'm looking for a file that logs any change to the security settings of the system.
View 1 Replies View RelatedI'd like to know how do I rotate the audit logs under "/var/log/audit/audit.log" every 6 month. Currently I have set the parameter inside /etc/audit/auditd.conf to "KEEP_LOGS" (Previously "ROTATE" )and logs files are generated up to the size 5M and never deleted. Do I need to change inside "/etc/audit/audit.rules" file?
[root@RHEL5 ~]# more /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
[Code].....
I am trying to setup auditing for NISPOM requirements using the built-in linux audit kernel which uses auditd and audit.rules for setup. I have been able to meet all other requirements, but I cannot find a way to audit user logout actions. My audit.rules file is listed below
Code:
#This file contains the a sample audit configuration intended to
# meet the NISPOM Chapter 8 rules.
[code]....
I would like to log all the commands executed (in full) by all the users or alteast myself.
package lastcomm, doesn't store full command.
I'm trying to add the -audit option to X Server. I run ps -ef | grep -v grep | grep "bin/X" and get: root 2511 2506 0 10:35 tty7 00:00:09 /usr/bin/X:0 -br -verbose -auth /var/run/dgm/auth-for-gdm-sScn1P/database -nolisten tcp vt7 So I'm thinking that I need to add -audit to the /usr/bin/X file, but I believe that it's binary and created by something else, but I can't find that "something else". How on earth can I add this option? I have opened up 1,000,000,000,000,000,000,000 files (slight exaggeration) and I've come up empty.
View 1 Replies View RelatedOne of our customers is looking at enterprise audit of their data center (primarily consists of Linux servers) We suggested them towards a SNMP based tool that has some limitations. Any other recommendation is welcome...
View 1 Replies View Relatedselinux and psacct is disabled in this system (RHEL5.6 2.6.18-194.11.3.el5 SMP x86_64). After performing a yum update, the syslog is flooded with kernel audit messages (related to PAM), even though audit service is turned off. Is there a way to disable this verbosity?
[Code]....
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies View RelatedI want to monitor a part of my filesystem for changes, including file opening and attempts to open files/dirs without necessary permissions.Since every read/write/open is run by syscalls i figured that running the auditd would be the simplest way to do this. I installed auditd and added a rule:
Code:
auditctl -w /srv -p warx
However I do not get any writes reported via ausearch -i. As a simple example, if I run
[code]....
how to audit and delete unwanted rpm packages. how to back up repository list from YaST2.
View 5 Replies View RelatedI am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies View RelatedI am using fedora 9, with kernel version 2.6.25-14.fc9.i686. I installed rsh-server. My configurations (with firewalls off)were:
1. In /etc/xinetd.d/rsh made "disable = yes" to "disable = no"
2. In /etc/securetty included the lines rsh and rlogin
3. By switching to user 'user1', in /home/user1/.rhosts included ip address of remote machine and issued 'chmod 400 /home/user1/.rhosts'
4. restarted xinetd service
When I issue the following from remote machine rsh <ip address> -l user1 ls it fails saying 'Error sending audit event.' In 'tail -f /var/log/messages' I could see the error dump
socket bind: Invalid argument (errno = 22) Error sending audit event.
One thing missing with my GUI toolbar is the authorizations tool icon. Which is explained by the missing /usr/bin/polkit-gnome-authorization.Would someone be able to fill me in?Last time the command was polkit-gnome-authorization. It may have changed or may not yet implementedEdit: I have checked F11 and compared /usr/bin/polkit-gnome-authorization is missing from F12 while it is in F11
View 3 Replies View RelatedI just install Fedora 15 and I see the SELinux Policy Genertation Tool and the SELinux Administration application in the app launcher but I do not see the SELinux Troubleshooter app. I seems to be missing. How do I get it on my system?
View 2 Replies View RelatedI have 9.10 at work and at home. At home it was installed from scratch. At work it's upgraded from 8.10->9.06(?)->9.10
- At work, when I do something over ssh, like subversion, and I have a key for that host, i am presented with a nice dialog box for my ssh key. and that's it. for the rest of my uptime, i can ssh to places without any hassle.
- At home, I'm presented with the key input prompt on the terminal. Even If I manually start ssh-agent, it still happens.
What package am I missing? I have the ssh-askpass-gnome on both.
I seem to be missing a secure.log or security.log file. have Ubuntu 10.04 and can't find this file. I looked in the /var/log and ran a search command to no avail. Does anyone know where this file is or is it called something else.looking for a file that logs any change to the security settings of the system.
View 6 Replies View RelatedCentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
Need to track which users are making changes to production files. I have a small number of administrators with access to su, but need to be able to identify which administrator is making changes to which files after they have su.I have read several post and articles regarding auditd tool, but it is not clear to me whether this tool can generate a log that shows the original user and file being altered.
View 3 Replies View RelatedI have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...
Stopping auditd: [ OK ]
Error deleting rule (Operation not permitted)
Starting auditd: [ OK ]
The audit system is in immutable mode, no rules loaded
A tail of my /var/log/messages shows this...
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/"
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/"
Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262
Nov 23 16:45:18 hostname audispd: af_unix plugin initialized
Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins
Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)
I'm the POC for all my families Linux computers. Is it possible to get statistics on which programs are accessed, how frequently, for how long and by which user?
When it comes time to upgrade it would be useful so I know which programs to concentrate my testing. I usually just e-mail and ask but every time people forget to send me the programs they actually use.
I have LTS 10.04 with firefox 3.63 and the cookie settings are not there. Does anyone else have missing privacy settings. I dont like the idea of tracking cookies and want to do what I can to get rid of them.
View 1 Replies View Related