Security :: Auditd Missing Syscalls?

Jun 11, 2010

I want to monitor a part of my filesystem for changes, including file opening and attempts to open files/dirs without necessary permissions.Since every read/write/open is run by syscalls i figured that running the auditd would be the simplest way to do this. I installed auditd and added a rule:

Code:
auditctl -w /srv -p warx
However I do not get any writes reported via ausearch -i. As a simple example, if I run

[code]....

View 5 Replies


ADVERTISEMENT

Fedora :: Kernel Compile Error : No Rule To Make Target `missing-syscalls'?

Dec 13, 2009

I am trying to compile a kernel in the following directory:/usr/src/kernels/2.6.30.9-102.fc11.x86_64

Note I am not trying to build an rpm but just do a simple make. After configuring with make menuconfig I issue the make command and get the following error:

Code:
[root@compaq 2.6.30.9-102.fc11.x86_64]# make
CHK include/linux/version.h
CHK include/linux/utsrelease.h
SYMLINK include/asm -> include/asm-x86
make[1]: *** No rule to make target `missing-syscalls'. Stop.
make: *** [prepare0] Error 2

how to resolve this error? It seems to be fedora-centric.

View 4 Replies View Related

Fedora Security :: Run Auditd As Non-root User?

Nov 2, 2009

Can the audit daemon (auditd) be run by a non-root user? I'd like to create a special user who only run the audit daemon. Is that possible?

View 1 Replies View Related

Security :: How To Enable And Config Auditd In Kernel 2.6.9-5.EL

Mar 14, 2010

Anyone can tell me how to enable and config auditd in linux kernel 2.6.9-5.EL. I have only found command auditd and auditctl in server that run kernel 2.6.9-5.EL. I ran auditd & and can saw auditd ran in my server. But I couldn't do anything with auditctl, no status, no rules, nothing :| . I tried to find audit.rules or auditd.conf but that nothing I can find.

View 1 Replies View Related

Fedora Security :: Redirect Auditd Log To Remote Host?

Sep 17, 2009

way to redirect the audit daemon message to a remote host I checked the auditd.conf and it's man page and find that the log location is specified by the line log_file = file_path and in the man page

Quote:

"log_file: This keyword specifies the full path name to the log file where audit records will be stored. It must be a regular file."

does this mean that the auditd does not have the function to redirect the logs to a remote hosts.

View 4 Replies View Related

Software :: Knows For What Use Is The Service 'auditd'?

Jan 28, 2011

I've heard this is a monitoring service. I want to turn it on by production machines. But I am not sure what negative influence will cause.

View 2 Replies View Related

Security :: Missing A Secure.log Or Security.log File

Jul 11, 2010

I seem to be missing a secure.log or security.log file. I have Ubuntu 10.04 and can't find this file. I looked in the /var/log and ran a search command to no avail. Does anyone know where this file is or is it called something else. I'm looking for a file that logs any change to the security settings of the system.

View 1 Replies View Related

General :: RHEL 4.6 - Cannot Boot Pass Starting Auditd

Apr 15, 2011

I'm using RHEL 4.6. auditd was set on for run levels 1-5. I changed something (?), now my system won't boot. It hangs on "Starting auditd:". I tried adding "enforcing=0" to GRUB. I tried adding "selinux=0" to GRUB. I tried adding "auditd=0" to GRUB. I've tried them separatly, as well as, in various combinations. I've tried entering "I" to go into interactive mode but, I'm not fast enough to hit that millisecond window. How can I skip/get pass the "Starting auditd:"?

View 5 Replies View Related

Debian Configuration :: Unable To Create Stat Exclude Rule For Auditd

Apr 25, 2016

I'm trying to configure auditd to monitor "strange" events with apache2 weberver on Wheezy (though same problem occurs on Jessie), tried both with "vanilla" 3.2 and backports 3.16 kernel I am actually using.

Here's auditd rules I have problem with:

Code: Select all-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web

So to recap, I want to log stat syscall failures for www-data user, but excluding some "known" issues, such as that "/var/www/server-status" (after a2enmod status, /server-status path can be accessed for statistics, though apache2 still tries to find physical file for that path and fails).

But the problem is.. excluding does not work.

Here's "auditctl -l" output:

Code: Select all# auditctl -l
LIST_RULES: exit,never arch=3221225534 (0xc000003e) watch=/var/www/server-status key=web syscall=stat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) uid=33 (0x21) success=0 key=web syscall=stat

But when I execute:
Code: Select all# wget -O - http://localhost/server-status

audit.log appears:
Code: Select alltype=SYSCALL msg=audit(1461591557.077:365): arch=c000003e syscall=4 success=no exit=-2 a0=7f1bedab9358 a1=7ffef316ac20 a2=7ffef316ac20 a3=7f1bedab91f8 items=1 ppid=2398 pid=2451 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" key="web"
type=CWD msg=audit(1461591557.077:365):  cwd="/"
type=PATH msg=audit(1461591557.077:365): item=0 name="/var/www/server-status" nametype=UNKNOWN
type=UNKNOWN[1327] msg=audit(1461591557.077:365): proctitle=2F7573722F7362696E2F61706163686532002D6B007374617274

So, syscall=4 (stat) is still captured. Looks like "path" is known for auditd, but not excluded.

I've tried various rule combinations, for example simpler, more generic one:

Code: Select all-a exit,never -F path=/var/www/server-status

But it's the same.

Sadly man audit.rules and man auditctl does not have "exit,never" examples, only some (sometimes also similarly unsuccessfull) google results.

Could it be that Debian kernel does not support some audit features?

View 1 Replies View Related

Fedora Security :: Authorizations Missing From Menu In 12?

Nov 21, 2009

One thing missing with my GUI toolbar is the authorizations tool icon. Which is explained by the missing /usr/bin/polkit-gnome-authorization.Would someone be able to fill me in?Last time the command was polkit-gnome-authorization. It may have changed or may not yet implementedEdit: I have checked F11 and compared /usr/bin/polkit-gnome-authorization is missing from F12 while it is in F11

View 3 Replies View Related

Fedora Security :: SELinux Troubleshooter Missing

Jul 20, 2011

I just install Fedora 15 and I see the SELinux Policy Genertation Tool and the SELinux Administration application in the app launcher but I do not see the SELinux Troubleshooter app. I seems to be missing. How do I get it on my system?

View 2 Replies View Related

Ubuntu Security :: 9.10 - SSH Askpass Dialog Missing

Jan 13, 2010

I have 9.10 at work and at home. At home it was installed from scratch. At work it's upgraded from 8.10->9.06(?)->9.10
- At work, when I do something over ssh, like subversion, and I have a key for that host, i am presented with a nice dialog box for my ssh key. and that's it. for the rest of my uptime, i can ssh to places without any hassle.
- At home, I'm presented with the key input prompt on the terminal. Even If I manually start ssh-agent, it still happens.
What package am I missing? I have the ssh-askpass-gnome on both.

View 4 Replies View Related

Ubuntu Security :: Missing Secure.log File?

Jul 11, 2010

I seem to be missing a secure.log or security.log file. have Ubuntu 10.04 and can't find this file. I looked in the /var/log and ran a search command to no avail. Does anyone know where this file is or is it called something else.looking for a file that logs any change to the security settings of the system.

View 6 Replies View Related

Security :: Audit Compilation :audit_tty_status Missing?

Jun 7, 2010

Strange :during the configure. I have checked :checking for struct audit_tty_status... no#uname -aLinux lfslc5 2.6.18.8-xenU-64b #1 SMP Tue May 6 18:09:10 CEST 2008 x86_64 x86_64 x86_64 GNU/Linux

View 2 Replies View Related

Security :: Syslog - Missing Entries To Logs

May 23, 2011

CentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -

Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...

The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.

View 2 Replies View Related

Ubuntu Security :: Firefox Missing Privacy Settings

Jun 16, 2010

I have LTS 10.04 with firefox 3.63 and the cookie settings are not there. Does anyone else have missing privacy settings. I dont like the idea of tracking cookies and want to do what I can to get rid of them.

View 1 Replies View Related

Ubuntu Security :: Nepenthes Configuration Files Missing

Dec 7, 2010

I am doing a honeypot project, and after I install nepenthes: $ sudo apt-get install nepenthes

$ nepenthes

I find that there are no configuration files in /etc/nepenthes/, and only a signatures document.

I searched in the internet, all the install guides do not mention this problme, just say that if updating the nepenthes, the /etc/nepenthes/*.conf will not automaticly update.

View 2 Replies View Related

Ubuntu :: Appearence And Security Tabs Missing In StartUp-Manager Application

May 3, 2010

I installed Startup Manager but the appearance and security tabs are missing. I really want to be able to change the resolution of the splash screen cause it looks all pixelated and I want to have the splash screen that 9.10 had.

I tried reinstalling and restarting but the issue remains. I know its somewhat functional because I am able to change the seconds that grub takes but when I try to change the resolution of the purple ubuntu startup screen it looks like it tries to change it but it fails.

View 9 Replies View Related

Security :: REDHAT Missing Functionality - Force User To Change Password On Login?

Mar 16, 2011

I have now been trying to find an answer for the following for a while and can't seem to get anything.On previous linux distros we had the option available "passwd -e" which allowed us to force the user to change their passwords upon the next login.s functionality however seems to be excluded from latest linux distros (currently using RHEL 5.4)...Does anybody know how the same effect can be achieved and perhaps any idea on why this option was removed as it was great for securing passwords

View 5 Replies View Related

Security :: Warning: /etc/hosts.deny, Line 20: Missing ":" Separator?

May 15, 2010

I am getting a warning from /etc/hosts.deny

Code:
ALL: 192.168.1.3
ALL: 172.68.11.204

[code]...

View 14 Replies View Related

Debian Installation :: Missing Network Drivers / And Missing Make To Install Them

Dec 1, 2014

I have an asus pc, and its network hardware is not recognized by debian, the drivers are not even in the list provided during the installation process. I managed to download them from another pc, but if i try to make them and install them, i'm stucked because Make is not installed on debian (nor is sudo).So i need a connection to install the drivers that provide me a co0nnections..

View 4 Replies View Related

Ubuntu :: Panel Missing In11.04 - Most Of My Effects Were Missing

Apr 30, 2011

I just installed ubuntu 11.04 last night. I noticed most of my effects were missing so I tried to put them back on. This didn't work so I disabled the effects. Then, my panel at the top and the Launcher is missing. .How do I get these back?

View 6 Replies View Related

Software :: Can Package Missing Files From Missing OS RPMs

Jul 16, 2010

How to properly integrate these RPMs into our system?

Option 1: we could take those missing OS RPMs and install them?
Option 2: can we package the missing files from missing OS RPMs into the existing Linux-xxx.rpm?

View 1 Replies View Related

Ubuntu :: Missing PV - Your System Missing Some Dependencies

Sep 1, 2011

I am following [URL] to install ubuntu on my beagleboard via Ubuntu 10.10 on liveCD. When I enter this command in terminal.

"sudo ./setup_sdcard.sh --mmc /dev/sdX --uboot beagle"
It gives me a error sayings Dependencies are missing.
"Missing pv.Your System is Missing some dependencies
Ubuntu/Debian: sudo apt-get install uboot-mkimage wget pv dosfstools btrfs-tools parted"
And when I enter the that above in terminal I get the following error.
Unable to locate PV.

View 5 Replies View Related

Fedora Security :: Script To Add Security Spin Tools To Normal Installation

May 22, 2011

love security/pentest tools. This script adds ALL the tools from the Security Spin, plus Metasploit. Feel free to modify it if need be.

View 12 Replies View Related

Ubuntu Security :: Login Panel Is Worse From Security View Point

Jan 19, 2010

ubuntu 9.10 login panel is worse with respect to ubuntu 8 since now all the users with names are shown without a way to hide them!Why don't keep the old way at least as an option?

View 5 Replies View Related

Ubuntu Security :: Selecting The 'Available To All Users' Option In Network Mgr Mess With Security?

Oct 15, 2010

To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?

View 3 Replies View Related

Ubuntu Security :: Basics Of Good Security Of Small Commercial Website?

Jan 17, 2011

1. I understand you can protect your files or directories in your website by setting file/directory permissions. The meaning of r w x is clear to me, but I'm not sure how to proceed... Starting with the index.html file, if I wanted to make it so that anyone in the world can read it but can't modify it, do I set its permissions to rwxr-xr-x? If I set it to rwxr--r--, would that mean the file couldn't be served? I mean, what does the x setting do on a .html file, how can a .html file be executable?

2. If file permissions work on the lines of owner-group-others, in the context of a website, who is 'group'? As far as I can tell, there's only the owner, which is me, and others, which is the world accessing the site. Am I correct in thinking that by default, say when creating a website on a shared hosting server, there is no group unless I specifically set one up?

3. My ISP allows the DynDNS.org service, meaning that I could serve a website from my home. It's too early to go that route just yet, but for future reference, I would like to ask about the server software called Hiawatha. It is said to be secure, but having read some evaluations of it, it doesn't seem to offer anything that couldn't be accomplished with Apache or Cherokee, it's just that its security settings are simpler and easier to configure. Am I right about this? Or does Hiawatha truly offer something that the other major server packages don't?

View 9 Replies View Related

Fedora Security :: Wierd SeLinux Security Alerts \ Got:Code:Summary: System May Be Seriously Compromised?

Apr 13, 2011

this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:

Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]

[code]....

View 5 Replies View Related

Ubuntu Security :: Updated Browsers Using Update Manager Have Lost Security Login Pages For Web Mail?

Mar 3, 2011

i updated both browsers i have and lost my secure log-in pages (no padlocks showing ) concerning different Web mail accounts.Just before i did these updates i checked an unrelated thing on-line regarding my sound card of which i kept a copy of and got this message below :

!!ALSA/HDA dmesg
!!------------------
[ 12.762633] cfg80211: Calling CRDA for country: AM

[code]....

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved