Security :: Audit.rules Does Not Retain Certain Settings After Reboot Or Service Restart?
Jan 11, 2011
I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code: -a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
I have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...
Stopping auditd: [ OK ] Error deleting rule (Operation not permitted) Starting auditd: [ OK ] The audit system is in immutable mode, no rules loaded
A tail of my /var/log/messages shows this... Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0 Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete" Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/" Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete" Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/" Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262 Nov 23 16:45:18 hostname audispd: af_unix plugin initialized Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)
I have a suspend problem in my laptop. Sometimes, when resuming from suspend, the network adapter is down (that is, the network does not work and the light of the network adapter is off). Restarting the network service doesn't work, because I think that the system forgot about the hardware, and probably the driver should be reloaded.Does anyone knows how to do that?(ps. /etc/init.d/networking restart does not work, because the hardware driver is not being recognized anymore).
When the audit daemon starts and stops, I see DAEMON_START DAEMON_STOP in the audit log. I don't see a rule in audit.rules about logging this event. So, I'm guessing that it's a rule that's built into the audit daemon. Can you confirm this?Also, I've been looking for a explanation of the event types that the audit daemon logs, such as: USER_AUTH, USER_ACCT, CRED_ACQ. If you know of any docs that explain this,
Strange :during the configure. I have checked :checking for struct audit_tty_status... no#uname -aLinux lfslc5 2.6.18.8-xenU-64b #1 SMP Tue May 6 18:09:10 CEST 2008 x86_64 x86_64 x86_64 GNU/Linux
I ran a test where I filled up the /var partition. The disk_full_action in auditd.conf is SUSPEND. I was expecting to see a message in /var/log/messages to indicate that the audit daemon was suspended because it did not have any space left on the partition.Why didn't I get these messages? Also, how can I tell if the audit daemon is suspended?
We have setup a separate partition to keep our audit files, but I am at a loss to figure out how to redirect the log files to be stored there instead of the default.
I am sure it is a simple matter but I have been unable to locate the information.
whats the difference between restarting/stopping apache using 'service httpd restart/stop' and apachectl restart/stop. I know that using 'service httpd restart' is actually a script in /etc/init.d/httpd but what about apachectl?
I'm using Debian 8 and I have ipset v6.23 and iptables v1.4.21. I put a rule with ipset in rules.v4 file and then I restart the iptables with netfilter-persistent service. When I reboot the iptables list is empty. But if in the file I don't put a rule with ipset, after reboot the iptables list is correct.
I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
I am running a debian squeeze machine on a ibm t40 laptop with window maker as my window manager. I am using gpointing-device-settings as a program to get the scroll bar on my touch pad working. unfortunately, I can't get the settings to stick after i shutdown and turn on. I have to go into the program and unclick then reclick the button. i'm using version 1.3.2 (ive tried both deb and source versions). does anyone have any ideas on how to fix this? and if there is any configure files that I could configure instead of having to use the gui program.
using docky, i want to add a app to launch to it, i go to my main menu in gnome right click on app and click on "add launcher to desktop", drag icon to the docky and upon seeing the little plus sign drop it on and it aligns nicely. i do this to my frequented apps and its all good, its really cool. i reboot......They turn to some generic default white blah icon and when i attempted to find the cause i ran docky -v in terminal and i get this:
I am having a Xen server xend daemon is taking care of giving interface names like vif1.0 or vif0.2 to the connected guest operating systems on it.I can not save the current IPTABLE rules since upon reboot the xend daemon gives different names to virtual ethernet interfaces i.e. vif1.0 or vif3.0 or vif9.0 like that.I have some rules that I want to be active upon subsequent reboots and not all.Say for example an SSH to external server at port 8000 should forward the request to a machine on LAN.Which I have done by port forwarding from IPTABLES.So I need to save some rules.I was thinking to make a script which on reboot activates those rules.
I am not clear on where to do that.I came across internet and found /etc/network/if-up.d/I am not clear with this directory my question is if I make a scrip which has IPTABLE rules as I want and save it in above folder will it work. I am not clear with what is /etc/network/if-up.dfor.Suppose my logic is wrong then how should I go for it.Also I want to know does a protocol uses two port to make a connection.I have forgotten that thing,i.e if I run an SMTP or ssh then do they use port 22 and 23 both in case of ssh or 25 and 26 both for SMTP like that or just specifying the rules for one port will be enough.I tested these rules in a secure environment where i had disabled firewall and ssh forwarding on router worked well
I am working on a Fedora 13 iso that will be used on some of the PC's at my work, the computers will have a varying amount of Ethernet ports, at least two onboard and up to 6 external. In order to ensure that the same physical port on the back of the computer is always used for the internet connection I have written a script to rearrange the contents of /etc/udev/rules.d/70-persistent-net.rules. The script ensures that the two Ethernet ports on the motherboard are listed as eth0 and eth1, without it they could end up as any port in the eth0-7 range.
The script works well however when its run I need to reboot the PC for the ifconfig to load the correct port as eth0/eth1. I have tried placing calls to my function through the rc.sysinit/rc.5d/rc.local and so on however nothing seems to work.Is there a way to make ifconfig check the mac/eth configuration files for changes (There appears to no longer be an ifprobe command which sounds like what I need). Alternatively is there somewhere I can place the script after udev has created the persistent-net.rules but before anything else loads the information. I have tried chkconfig --level 2345 network off and loading the service later but it still uses the wrong information, only a reboot seems to get it to work
I have linux server which 6.2 very old which was installed long back. CVS is running there . problem is sometime the port doesnot listen sometimes listen if i do netstat -an.It is weired. not sure how to restart the CVS service in the 6.2 server
I have a box Suse 11.1 with a service that (I dont know why) every day stop at the same time. Im finding why it come to a halt but in the meantime I would like restart it automatically.As root I insert in crontab the line:25 16 * * * /etc/init.d/service startBut it don works If I launch manually /etc/init.d/service start (or stop) it works
I neded to make some changes to the httpd.conf file. Afterwards I tried restarting,but it won't restart.It's saying port 80 is already in use. after checking via lsof -i :80 I get this result:
I've after latest jessie update a problem with service samba restart. If I use "service samba restart", there is a timeout (after long time) and error.
Output of "systemctl status samba.service":
Code: Select all● samba.service - LSB: ensure Samba daemons are started (nmbd and smbd) Loaded: loaded (/etc/init.d/samba) Active: failed (Result: timeout) since Mo 2014-10-20 02:16:57 CEST; 7s ago Process: 6205 ExecStart=/etc/init.d/samba start (code=killed, signal=TERM)
Okt 20 02:16:57 server systemd[1]: samba.service start operation timed out. Terminating. Okt 20 02:16:57 server systemd[1]: Failed to start LSB: ensure Samba daemons are started (nmbd and smbd).
[Code] ....
Whats going wrong. "service samba restart" should bring no error message if the service is not running previously.
Has anyone noticed that when using NameVirtualHost's in apache that the service httpd restart command is broken?Also it seems system-config-bind has glitches too.
I have an HP Deskjet D1460. I am using Ubuntu 10.04 and HPLIP 3.10.2 that came with the distro. I am in a plan of moving my windows PC to ubuntu in my bussiness, and this is the first of them. Trying to solve all the problems before converting a second one. All seems to work quite well and almost out of the box... and that is a huge step from the last distro i tryied 2 years ago. So, my difficulty now resides on the printing. I am using a small VFox program that manage some of the aspects of the bussiness, in wine. It works without problems, but... when I print, all the pages get printed like 1cm below than when it was printed under windows. The problem is, that I use the printer to fill some forms that came pre-printed, and now, I am printing over the other text instead of the white spaces. I read a little, and try to adjust the HWMargins and the ImageableArea in the ppd of /etc/cups/ppd/ but it was like if I was doing nothing. Do I miss a step? Do I need to restart a service or something after changing the ppd? The margings when using the printer gui from Ubuntu are all in 0, and for that i need like a minus something.
I have a process that I cannot kill with kill -9 how to go about this?
[Code]...
It is an openvpn process but I cannot retsrat the service as I alreday have another openvpn service running on the server so when I do openvpn service restart, it won;t know which service to restart.
When ever i am giving the command service nfs restart in fedora14 iam getting the following:
And when typing the command service portmap restart in fedora 14 i am getting the following:
When i tried this in redhat and centos it was working in my class room but when i am trying it in real time it is not working so what does it mean and how to resolve the issue.
