Anyone can tell me how to enable and config auditd in linux kernel 2.6.9-5.EL. I have only found command auditd and auditctl in server that run kernel 2.6.9-5.EL. I ran auditd & and can saw auditd ran in my server. But I couldn't do anything with auditctl, no status, no rules, nothing :| . I tried to find audit.rules or auditd.conf but that nothing I can find.
View 1 RepliesI want to monitor a part of my filesystem for changes, including file opening and attempts to open files/dirs without necessary permissions.Since every read/write/open is run by syscalls i figured that running the auditd would be the simplest way to do this. I installed auditd and added a rule:
Code:
auditctl -w /srv -p warx
However I do not get any writes reported via ausearch -i. As a simple example, if I run
[code]....
Can the audit daemon (auditd) be run by a non-root user? I'd like to create a special user who only run the audit daemon. Is that possible?
View 1 Replies View Relatedway to redirect the audit daemon message to a remote host I checked the auditd.conf and it's man page and find that the log location is specified by the line log_file = file_path and in the man page
Quote:
"log_file: This keyword specifies the full path name to the log file where audit records will be stored. It must be a regular file."
does this mean that the auditd does not have the function to redirect the logs to a remote hosts.
I'm trying to run extract-ikconfig because I've mistakenly deleted an old kernel config that I'd like to recover. However, when running the script from the latest (2.6.32.5) tree I run into this error:
Quote:
ERROR: Unable to extract kernel configuration information.
This kernel image may not have the config info.
Coincidentally, this happens with all of my kernel images. Is it a fixable problem? I should really set CONFIG_IKCONFIG_PROC next time..
I wanna see the wifi signal strength.But when i run the command iwconfig , it tells me 'no wireless extensions'.By googling I found that I need to enable config option CONFIG_NET_RADIO.I see that this has to be done in boot which has config files.So I typed the command grep CONFIG_NET_RADIO /boot/<config-2.6.31.5-127.fc12.i686> (my fedora version is 2.6.31.5-127.fc12.i686).But I got the error as "bash: syntax error near unexpected token `newline' ".I dont know the reason.I also want to know if I have to install driver(ndiswrapper)for viewing wireless signal strength. I thought that the drivers will present default.
View 8 Replies View RelatedI've heard this is a monitoring service. I want to turn it on by production machines. But I am not sure what negative influence will cause.
View 2 Replies View RelatedI have Mandrake 9.0 with 2.4 kernel, this comes with a GUI kernel config, its a nice feature as it details each kernel item. I installed a Mandriva 2009 edition w/2.6.27 kernel and want to add the GUI kernel config, does anyone know of a package to do this
View 3 Replies View RelatedI'm using RHEL 4.6. auditd was set on for run levels 1-5. I changed something (?), now my system won't boot. It hangs on "Starting auditd:". I tried adding "enforcing=0" to GRUB. I tried adding "selinux=0" to GRUB. I tried adding "auditd=0" to GRUB. I've tried them separatly, as well as, in various combinations. I've tried entering "I" to go into interactive mode but, I'm not fast enough to hit that millisecond window. How can I skip/get pass the "Starting auditd:"?
View 5 Replies View RelatedI'm experimenting with 2.6.33-ck1 mainly because I want to try the BFS. I successfully configured and installed the patched kernel, but I'm experiencing various problems on the desktop. The biggest is Chromium not working at all, but there are several others, including graphical glitches in firefox. I'm sure I left some important module off or made a mistake for some settings My question is that is there a 2.6.33-fc12 kernel yet, and does it have a .config available? I'd like to load those settings in menuconfig and use them as a starting point to properly configure and complie a -ck patched kernel.
View 1 Replies View Relatedhave a sample kernel .config, so I can compile a small custom kernel on my vps? I tried to make it alone,but I removed stuff,so that my VPS won't start anymore. Virtualization is KVM, running on a Core 2 Duo.
View 3 Replies View RelatedI would like to compile my own kernel. I am familiar with how to do it and have done it in the past so I'm not looking for a how to compile a kernel. In the kernel config are many, many options. In the past when I compiled kernels I always wondered about what is needed and used. What is the best way to determine what is currently used, not set or enabled in the existing config, but actually used by my existing kernel?I have a general idea of what is loaded and could do trial and error, turn this and that off, recompile, etc but is there an easier way?
View 3 Replies View Relatedim currently running fedora 11 on my computer and i have this old firewall called firestarter. firestarter is very outdated but it has better rules for blocking connections like IGMP does any one know how to add filter rules so i can block IGMP trace and other unknown protocols it would be cool
View 5 Replies View RelatedI am using FC15.I need a kernel with a different configuration - with the "Preemptible Kernel (Low-Latency Desktop)" option in the Processor Type and features menu. I need this to support my firewire audio device. I would like to build a new kernel RPM from the SRPM so that i can keep a clean system with RPMs for all files, and I don't really want to manually override the kernel bypassing RPM.I am following **exactly** the process described there - I install the SRPM, unpack the source, then use the starting sample config files in the BUILD folder to create a new customised .config file with the new option, then copy this back to the SOURCE folder.
This works perfectly if I make a standard kernel. But I cannot get the process to work if I change the config file. Every time I compile I end up with exactly the standard kernel -- a vanilla i686 kernel, without my custom config.I believe the problem is that when I run rpmbuild to compile the kernel, this process overwrites my config option. I found that there is a script (merge.pl) which creates new config files dyanmically for all kernel options based on fragments in the SOURCE folder. It looks like the script never uses the config file that I am putting into the SOURCE folder.The wiki page suggests using this command to copy my custom config file cp .config ~/rpmbuild/SOURCES/config-`uname -m`
I've read about some sort of tools that help with kernel configuration.Can anyone tell me anything about these?It seems that you use the tool(s) on a running system. You use the running system for a while. The tool(s) gathers data and leaves bread crumbs. The tool(s) then process the bread crumbs to create a candidate config file for a fresh kernel build. The goal is a kernel build that contains parts you actually use and omits parts you don't use or don't need -- all the while using arcane knowledge of dependencies among various kernel features to (hopefully) avoid building a still-born kernel.
View 6 Replies View RelatedThis is my first effort in making something more appropriate for laptop users (exclusively). This is a kernel config for 2.6.30.5. I started with the Slackware Generic-SMP 32bit kernel config (this is a 32bit kernel config). All credit for (in my opinion) the best starting place for any kernel config goes to Patrick Vokerding. (Please tell me if I am or am not doing this properly in terms of respecting the work of others, GPL, GNU, etc.)
View 14 Replies View RelatedI'm trying to configure auditd to monitor "strange" events with apache2 weberver on Wheezy (though same problem occurs on Jessie), tried both with "vanilla" 3.2 and backports 3.16 kernel I am actually using.
Here's auditd rules I have problem with:
Code: Select all-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat -F uid=www-data -F success=0 -k web
So to recap, I want to log stat syscall failures for www-data user, but excluding some "known" issues, such as that "/var/www/server-status" (after a2enmod status, /server-status path can be accessed for statistics, though apache2 still tries to find physical file for that path and fails).
But the problem is.. excluding does not work.
Here's "auditctl -l" output:
Code: Select all# auditctl -l
LIST_RULES: exit,never arch=3221225534 (0xc000003e) watch=/var/www/server-status key=web syscall=stat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) uid=33 (0x21) success=0 key=web syscall=stat
But when I execute:
Code: Select all# wget -O - http://localhost/server-status
audit.log appears:
Code: Select alltype=SYSCALL msg=audit(1461591557.077:365): arch=c000003e syscall=4 success=no exit=-2 a0=7f1bedab9358 a1=7ffef316ac20 a2=7ffef316ac20 a3=7f1bedab91f8 items=1 ppid=2398 pid=2451 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" key="web"
type=CWD msg=audit(1461591557.077:365): cwd="/"
type=PATH msg=audit(1461591557.077:365): item=0 name="/var/www/server-status" nametype=UNKNOWN
type=UNKNOWN[1327] msg=audit(1461591557.077:365): proctitle=2F7573722F7362696E2F61706163686532002D6B007374617274
So, syscall=4 (stat) is still captured. Looks like "path" is known for auditd, but not excluded.
I've tried various rule combinations, for example simpler, more generic one:
Code: Select all-a exit,never -F path=/var/www/server-status
But it's the same.
Sadly man audit.rules and man auditctl does not have "exit,never" examples, only some (sometimes also similarly unsuccessfull) google results.
Could it be that Debian kernel does not support some audit features?
Can I use the config for my current kernel (the jessie 3.16 one), and use it to build a more recent kernel (3.18)? Do I just copy across the config and try and build with it, or is there some tool that will bring across the existing config but also set up reasonable defaults for any new options in the newer kernel, and any other migrations that might need to be applied?
View 4 Replies View RelatedI'm recompiling my kernel on a dell latitude c600 running lenny as I type, and it's taking forever, so far upward of 4 hours.I think I'm getting drivers for ever piece of computing hardware since the univac So I googled "a kernel conf creator" and got [URL]... Its a nice, clean method for finding what hardware your using... you just run lspci cpuinfo make xconfig and put in all the info yourself. So I was thinking: this is exactly the kind of dull, repetitive behavior that computers were made for. Is there a program that can find my hardware info, and make the.config itself, with very little user input?Or should I reinstall debian on another partition and steal the .config from it? Or should I man it up and do it myself?
View 14 Replies View RelatedI want to start to play with "homemade" kernels. (To get some experiences in this subject). I want to do this step-by-step. I have already read a lot about this. I have a Fedora 10 running. So I want to start with this. I have read that there is a "special" way to create a kernel for Fedora. [URL] OK. I understand this +/-. When you build a new kernel with an other version number, you have to rebuild all the modules with this new kernelversion, and you have to install these also.
But : I want to start with modify only some parameters in my kernel config. Do I need to rebuild and re-install the modules also? Will it not be enough to rebuild only the kernel? (vmlinuz) Where can I find some information about the options I can disable in my kernel to speedup my system? (boot process ed). I want to suppress the loading of unneeded modules. I want to understand the options in menuconfig (and there are a lot of options ! ! )
Im using a Fedora 15 and im trying to compile a 3.0.0rc5 kernel. but im unable to get a config for my machine to boot up. i tried make localmodconfig it says
using config: '.config'
capifs config not found!!
Restart Config
and then i tried cp /boot/config-2.6.38.6-26.rc1.fc15.i686.PAE .config to override the default config but stil that doesnt work. work around to get a proper config so that i can boot the latest kernel here?
I'm looking to extract a config from a working kernel..that much was pretty easy..all ya gotta do is "cp /proc/config.gz ." which will put it in whatever directory you're currently in and then do a "gzip -d config.gz" to get the config file.
Now...after that it gets a bit tricky..Linus says you should never compile a kernel in /usr/src/ because those header files in ../include should never change. He says you should extract a new kernel gz in your home directory and compile it there. I tend to agree (who am I to argue?). Anyway..whereever your sources are this is where you need to copy the config file...
Like this...my home dir is "/home/dart". So I would put the kernel sources there under "/home/dart/linux". I would cd to /home/dart/linux and do "cp /proc/config.gz ." then "gzip -d config.gz" which should leave you with a file called "config", then "mv config .config"
Now here's where I run into a problem..when I do "make xconfig" I get this...
Tried to install the qt3-devel packages from CD but guess what? I ran into cdrom errors which is what I was trying to fix in the first **** place...catch 22 eh?
Supposed I have built customized kernel rpm four times in a row and the latest built kernel failed. If I still have all four kernel.xxx.rpm files, is there any way that I could get back the .config file used for each of those four builds? I really could not recall exactly what changes I had made in .config for each build.
View 3 Replies View RelatedHow do I discover which kernel config parameters are important for my laptop hardware and frequently used applications? I'm not looking for something that is 100(...)% optimized for my hardware. I would prefer to have modules for everything that I don't use at all or often. I would prefer to avoid modules (built-in) for things that I use all the time but then any updates might mean a kernel rebuild. I'm currently running the generic PAE edition of the repository kernel. I think that I'm running the 32-bit flavor at that.
Code: user@host:path$ uname -a Linux mumbles 2.6.31-19-generic-pae #56-Ubuntu SMP Thu Jan 28 02:29:51 UTC 2010 i686 GNU/Linux I know the following from sysinfo
[Code]....
I have an auditing problem. I am required to be able to track user account modifications (creates, deletes, password changes, etc.) My team and I implemented auditd 1.7.17 and borrowed an existing rule set from /usr/share/doc/audit-1.7.17/nispom.rules. What we're seeing is that user account activity from the command line is retrievable by doing an 'aureport -m'. However, doing the same through the GUI, 'aureport -m' does not display the activity. So I have two questions:1. Is there another location I should be looking to find the user creation activities when using the GUI?2. Is there a way to make the activity using the GUI be captured in /var/log/audit/audit.log so 'aureport -m' can report it?Someone suggested a PAM configuration change, but was not able to tell me what change to make.
View 3 Replies View RelatedI accidentally deleted my .config for my kernel configuration on Linux, and seem to remember there was a way to retrieve the kernel configuration via the proc filesystem somehow. Is this still possible, and if so how would I do it?
View 1 Replies View RelatedI'm looking for the .config file for the kernel which ubuntu uses to compile the standard generic kernel which is delivered in compiled form. I downloaded the following kernel archive ( 2.6.31.8 ): [URL]... I need the original file, because I'm not able to configure a working kernel, so I want to try to compile the kernel with the standard configuration. Afterwards I'm going to change some options.
View 5 Replies View RelatedI was just wondering if using a non-smp kernel would be ok on a older p4 system with no x. I am wondering due to some functionality in IPTABLES that is broken in the SMP kernels ( -m owner --sid.pid,cmd-owner).
Could someone that is running a NON-SMP kernel advise as to whether the support for -m owner --cmd-owner is working in iptables with those kernels? Also, could someone advise me if running a NON-SMP kernel is even advisable? The machine will not have x.
I am using Angstrom Linux on a Beagleboard and it does not have CONFIG_HIDDEV enabled. How do I enable that config setting and rebuild the Kernel? I can build the Kernel as it stands using Bitbake, but the config file containing the CONFIG_HIDDEV=n is commented as "auto built, do not edit". Can I ignore that and edit it? Or is there some other way to control the "auto building" of it?
View 1 Replies View RelatedAnyone able to compile kernel 2.6.38.6 on Slackware 13.37 successfully using the config from testing/2.6.38.4? I was able to get .4 and .5 to compile successfully, but with .6 I get the following after running "make modules".
Code:
WARNING: modpost: Found 11 section mismatch(es).
To see full details build your kernel with:
'make CONFIG_DEBUG_SECTION_MISMATCH=y'
Running "make CONFIG_DEBUG_SECTION_MISMATCH=y 2>&1 > outfile" gives me a bunch of WARNINGS as follows:
Code:
WARNING: vmlinux.o(.text+0xe656a): Section mismatch in reference from the function build_all_zonelists() to the function .meminit.text:setup_zone_pageset.clone.56()
The function build_all_zonelists() references
the function __meminit setup_zone_pageset.clone.56().
This is often because build_all_zonelists lacks a __meminit
annotation or the annotation of setup_zone_pageset.clone.56 is wrong.....
WARNING: drivers/watchdog/nv_tco.o(.devinit.text+0x14): Section mismatch in reference from the function nv_tco_init() to the function .init.text:nv_tco_getdevice()
The function __devinit nv_tco_init() references
a function __init nv_tco_getdevice().
If nv_tco_getdevice is only used by nv_tco_init then
annotate nv_tco_getdevice with a matching annotation.