Server :: Audit System Is In Immutable Mode - No Rules Loaded
Nov 23, 2010
I have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...
Stopping auditd: [ OK ]
Error deleting rule (Operation not permitted)
Starting auditd: [ OK ]
The audit system is in immutable mode, no rules loaded
A tail of my /var/log/messages shows this...
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/"
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/"
Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262
Nov 23 16:45:18 hostname audispd: af_unix plugin initialized
Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins
Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)
View 4 Replies
ADVERTISEMENT
Apr 11, 2011
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies
View Related
Apr 11, 2011
I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies
View Related
Mar 16, 2011
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.
[code]....
View 8 Replies
View Related
Jan 11, 2011
I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.
View 6 Replies
View Related
Oct 14, 2010
Is there a way to check older iptable rules that were loaded? I accidentally overwrote my iptables and that has killed internet access to all computers in the intranet. I must have accidentally deleted some line in the iptable rules and cannot figure how to get it back to how it was. I am using Debian 5.05 by the way.
View 1 Replies
View Related
Dec 30, 2009
I'm the POC for all my families Linux computers. Is it possible to get statistics on which programs are accessed, how frequently, for how long and by which user?
When it comes time to upgrade it would be useful so I know which programs to concentrate my testing. I usually just e-mail and ask but every time people forget to send me the programs they actually use.
View 2 Replies
View Related
May 21, 2010
I'm trying to add the -audit option to X Server. I run ps -ef | grep -v grep | grep "bin/X" and get: root 2511 2506 0 10:35 tty7 00:00:09 /usr/bin/X:0 -br -verbose -auth /var/run/dgm/auth-for-gdm-sScn1P/database -nolisten tcp vt7 So I'm thinking that I need to add -audit to the /usr/bin/X file, but I believe that it's binary and created by something else, but I can't find that "something else". How on earth can I add this option? I have opened up 1,000,000,000,000,000,000,000 files (slight exaggeration) and I've come up empty.
View 1 Replies
View Related
Sep 27, 2010
One of our customers is looking at enterprise audit of their data center (primarily consists of Linux servers) We suggested them towards a SNMP based tool that has some limitations. Any other recommendation is welcome...
View 1 Replies
View Related
Mar 14, 2011
selinux and psacct is disabled in this system (RHEL5.6 2.6.18-194.11.3.el5 SMP x86_64). After performing a yum update, the syslog is flooded with kernel audit messages (related to PAM), even though audit service is turned off. Is there a way to disable this verbosity?
[Code]....
View 2 Replies
View Related
Nov 18, 2010
I attempted to install Catalyst 10.11 for my ATI HD 2600XT and the system now only displays lines and a large block of pixels where the mouse would go. CTRL-ALT-F1 kills the system and does not provide a command prompt. This is a single installation, not dual-boot, but there is no Press Esc to access the Grub menu during startup so I cannot choose safe mode. I attempted to get into Recovery mode using the flash drive that I used to install the system and it tells me there is no Recovery kernel (I used the 64-bit Desktop installer, not alternative). Does anyone know an alternative to get into the Grub menu other than ESC during bootup? Alternatively, do I need to download the 64-bit Alternative ISO and create a new boot disk with it so I can access Recovery mode? Is there something else I'm not thinking of?
View 5 Replies
View Related
Mar 10, 2010
I want to append data to a file where immutable flag is set..So i have tried this command chattr +a file_name to append data..But i am unable to append the data..
View 7 Replies
View Related
Mar 24, 2011
Similar to the linux command "chattr +i filename", I would sure like to set my eth0 interface immutable. so once I assign the eth0 interface's IP and gateway, make it stay set until I say otherwise.
this way, I can run dhclient or Networkmanager on another interface without having to fret that it may alter this interface. is there something out there that can do this?
View 1 Replies
View Related
Jun 19, 2011
I need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf
View 2 Replies
View Related
May 26, 2010
Debian 2.6.32 Squeeze + GnomeI try to start System | Administration | Services and I get an error:The configuration could not be loadedAn unknown error occurredI turned on a whole bunch of different services and suddenly now I can't get back in to switch any of these on or off. I'm assuming there is some manual way of switching these off again, I just don't know where to do this.
View 3 Replies
View Related
Jan 24, 2010
I am currently rebuilding a couple laptops and a desktop to dual boot Windows and Suse 11.2. Windows is installed on partition 1. On the laptops, the build goes fine and dual boot with grub is OK. No issues. But on the desktop, the exact same build (after all the on-line updates, etc) fails with "Operating system not found" on the final (and first) boot. It seems that the Suse 11.2 build is somehow resetting the active partition and the boot does not see grub or Windows. When I reset partition #1 back to "active, only Windows loads. So I guess I need to fix this by reinstalling grub. Or use the Windows boot loader.
(1) Where is grub located on my system?
(2) What partiton is the Linux master Boot record If I wanted to use the Windows boot loader and do the following command to grab the 512 bytes I need:
dd if=/dev/sna? of=grub.bin bs=512 count=1
My partition layout is below. This is output from gdisk.exe in DOS7. It's an 80gig drive.
1 = Windows-7
2 = /boot
3 = swap
[code]....
View 9 Replies
View Related
May 4, 2010
Out of curiosity, can you chainload a Linux system via a Windows executable within Windows at the ordinary desktop?Knowing windows there would be enough holes to write at any memory address without "permission", but can it be done with a humble executable? Or is Windows just too active, without the chance of nothing happening at any one pointo that everything can be exited cleanly non-existent?I'm not asking for a program or guide to do this and neither do I aim to do it. As I've stated it is all out of curiosity on whether or not some sort of protection is in place to stop this kind of thing
View 5 Replies
View Related
Mar 1, 2011
I've got a problem with my 3G modem [Huawei E122].
It has internal storage and kernel assigns a device [/dev/sdX] to it.
Because of that, every second time my machine will not boot - kernel panic - as my usb hdd gets assigned /dev/sdb instead of /dev/sda.
I cannot use LABEL nor UUID in root= kernel parameter, as it is only available when using initrd, and I can't use it - I am using Debian on my router - mips architecture machine.
I have to prevent this from happening, as my router has to start everyday and I have to be sure it works ok. I don't have physical access to restart it when something goes wrong.
I don't use my modem internal storage, there's no SD card inserted. However kernel detects the reader and loads it.
I can not prevent loading od usb drivers since my hdd is on USB as well.
View 1 Replies
View Related
Apr 29, 2010
I have installed RipperX and the Lame MP3 encoder, as well as Oggenc. I noticed that Ripperx plugins are loaded at boot. The thing which concerns me is that there are multiple instances of a plugin witht the same name showing in system monitor( or ps command). There are about 15 processes alone with the name "plugin-Lame."
Here's the output of ~$ ps x
Code:
Are these actually different? Or do I really have redundant instances running? I'm concerned because I have an old system with limited RAM, and all the plugins together make an impact. If they are all neccessary and needed for RipperX, is there a way to have them load up when RipperX is started, rather than at boot-time?
View 1 Replies
View Related
Sep 14, 2009
The system always boot up in Graphic Mode. After installation of Web Server, I want to disable Graphic Mode and change it to boot to Text Mode to save memory. Is there a way to disable graphic mode?
View 1 Replies
View Related
Nov 18, 2009
When I install I never select language support other than English, yet the system gets loaded with a bunch of fonts and input methods for various Eastern languages and I spend time taking them out.Why are they getting installed at all?
View 7 Replies
View Related
Jul 12, 2011
i have hosted a web server on cent os 5.6.i need to write the rules for that server.1. 1st how can i flush the iptables ?
i used this command
iptables -F
iptables -X
[code]...
View 7 Replies
View Related
Apr 29, 2010
We've installed RHEL 4 (Linux Redhat) on a virtuel machine VMware. This virtuell machine has 2 CPUs (CPU0 and CPU1). We also installed the JBoss on it. But we notice, that in run time the system load of one CPU is quite often 100%. I am not sure if this is caused by the application running on Jboss or there is error by configuration on Linux.
View 6 Replies
View Related
Apr 13, 2011
I have servers where the disk is partitioned into OS and application partitions. The application is rather sloppy with its file handles, and frequently when there is a system crash, its file systems get corrupted. This will cause fsck to halt the boot, requiring me to get on a remote console, enter the root password, and fsck the file systems.
Is there a way to have just the OS partitions get checked and mounted, then check the application systems, only after the OS is loaded, so I can ssh into the system, instead of having to use a bandwidth-hogging remote console?
The app partitions are already at fsck level 2 in /etc/fstab, but this doesn't prevent OS loading from halting. If I set the fsck level to 0, I don't want the application to start if the partitions are unavailable. Should I just leave the fsck level at 0? Or should have the partitions marked "noauto", then have a startup script run fsck and mount the app partitions?
View 2 Replies
View Related
Apr 17, 2010
I am having a Xen server xend daemon is taking care of giving interface names like vif1.0 or vif0.2 to the connected guest operating systems on it.I can not save the current IPTABLE rules since upon reboot the xend daemon gives different names to virtual ethernet interfaces i.e. vif1.0 or vif3.0 or vif9.0 like that.I have some rules that I want to be active upon subsequent reboots and not all.Say for example an SSH to external server at port 8000 should forward the request to a machine on LAN.Which I have done by port forwarding from IPTABLES.So I need to save some rules.I was thinking to make a script which on reboot activates those rules.
I am not clear on where to do that.I came across internet and found /etc/network/if-up.d/I am not clear with this directory my question is if I make a scrip which has IPTABLE rules as I want and save it in above folder will it work. I am not clear with what is /etc/network/if-up.dfor.Suppose my logic is wrong then how should I go for it.Also I want to know does a protocol uses two port to make a connection.I have forgotten that thing,i.e if I run an SMTP or ssh then do they use port 22 and 23 both in case of ssh or 25 and 26 both for SMTP like that or just specifying the rules for one port will be enough.I tested these rules in a secure environment where i had disabled firewall and ssh forwarding on router worked well
View 4 Replies
View Related
Jun 22, 2011
I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?
View 3 Replies
View Related
Jun 18, 2010
The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
View 14 Replies
View Related
Jan 20, 2011
I'm curious but recently I was troubleshooting some iptables rules to allow nfs clients access to my nfs server. What was strange was that I setup a tcpdump session on my nfs server so that I can see which ports were being requested. I ran several tcpdump sessions with the following filters in place.
tcpdump -vv src ip_of_client and dst _ip_of_client
tcpdump -vv src hostname_of_client and dst hostname_of_client
However, the only packet I ever saw come over the wire to me was the client host asking for a arp resolution. Anyhow, I finally just ran 'rcpinfo -p' and added those ports to my iptables rules and it worked great. However, I would like to understand how nfs works in case I need to troubleshoot it in the future. I do understand that nfs uses portmappers, would this explain the behavior?
View 1 Replies
View Related
Jun 30, 2009
i have just setup a firewall using iptables on centos 5.3 but there's an issue with ftp
i can connect and i can login when i give command "ls" it says entering passive mode
and afterwards it times out do you know why? i have port 21 open in my firewall but still....
View 4 Replies
View Related
Feb 3, 2010
I want a mail server that can work just like MDaemon. The reason is, I want to have an email content filter rule that does some thing like this.
1. If the To Header contains "support@thisdomain" then run a program.
What this means is that, there is a program here in the office, and if some one sends an email to the support address, with an attachment of .exe and that person is a customer, then the program should be run. The only thing I need here is if there is a rule or script that can filter email header and run a program.
2. If the Exit Code from a previous 'Run program' rule is in the range of 1 to 100 and if the To Header contains "support@thisdomain" then send note1 "to<email address>" from <$SENDER$" "SUBJECT <AM ...>
and delete this message.
3. If the EXIT CODE from a previous 'Run program' rule is =0 and if the TO HEADER contains "support@thisdomain" then send note1 "to<email address>" from <$SENDER$" "SUBJECT <AM ...>
and delete this message.
View 7 Replies
View Related
