Ubuntu :: Audit Trail Of Commands?
Jan 7, 2011 I would like to log all the commands executed (in full) by all the users or alteast myself.
package lastcomm, doesn't store full command.
ADVERTISEMENT
Red Hat :: Generate Audit Log Every 6 Months
Mar 8, 2011I'd like to know how do I rotate the audit logs under "/var/log/audit/audit.log" every 6 month. Currently I have set the parameter inside /etc/audit/auditd.conf to "KEEP_LOGS" (Previously "ROTATE" )and logs files are generated up to the size 5M and never deleted. Do I need to change inside "/etc/audit/audit.rules" file?
[root@RHEL5 ~]# more /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
[Code].....
OpenSUSE :: Can't Audit Logout Events From Ssh Or Su In 11.0?
Feb 16, 2010I am trying to setup auditing for NISPOM requirements using the built-in linux audit kernel which uses auditd and audit.rules for setup. I have been able to meet all other requirements, but I cannot find a way to audit user logout actions. My audit.rules file is listed below
Code:
#This file contains the a sample audit configuration intended to
# meet the NISPOM Chapter 8 rules.
[code]....
Security :: Audit DAEMON_START DAEMON_STOP?
Aug 24, 2010When the audit daemon starts and stops, I see DAEMON_START DAEMON_STOP in the audit log. I don't see a rule in audit.rules about logging this event. So, I'm guessing that it's a rule that's built into the audit daemon. Can you confirm this?Also, I've been looking for a explanation of the event types that the audit daemon logs, such as: USER_AUTH, USER_ACCT, CRED_ACQ. If you know of any docs that explain this,
View 2 Replies View RelatedOpenSUSE :: Add / Setting -auth -audit In X Server
May 21, 2010I'm trying to add the -audit option to X Server. I run ps -ef | grep -v grep | grep "bin/X" and get: root 2511 2506 0 10:35 tty7 00:00:09 /usr/bin/X:0 -br -verbose -auth /var/run/dgm/auth-for-gdm-sScn1P/database -nolisten tcp vt7 So I'm thinking that I need to add -audit to the /usr/bin/X file, but I believe that it's binary and created by something else, but I can't find that "something else". How on earth can I add this option? I have opened up 1,000,000,000,000,000,000,000 files (slight exaggeration) and I've come up empty.
View 1 Replies View RelatedNetworking :: Do Enterprise Audit Of Server Environment?
Sep 27, 2010One of our customers is looking at enterprise audit of their data center (primarily consists of Linux servers) We suggested them towards a SNMP based tool that has some limitations. Any other recommendation is welcome...
View 1 Replies View RelatedSecurity :: Audit Compilation :audit_tty_status Missing?
Jun 7, 2010Strange :during the configure. I have checked :checking for struct audit_tty_status... no#uname -aLinux lfslc5 2.6.18.8-xenU-64b #1 SMP Tue May 6 18:09:10 CEST 2008 x86_64 x86_64 x86_64 GNU/Linux
View 2 Replies View RelatedServer :: Kernel Audit Msg Flooding After Yum Update
Mar 14, 2011selinux and psacct is disabled in this system (RHEL5.6 2.6.18-194.11.3.el5 SMP x86_64). After performing a yum update, the syslog is flooded with kernel audit messages (related to PAM), even though audit service is turned off. Is there a way to disable this verbosity?
[Code]....
Red Hat :: Excluding Unlink To A Particular File In Audit.rules?
Apr 11, 2011I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies View RelatedUbuntu Networking :: Automate The Audit Of Computer's Hardwares Present In Network?
Aug 17, 2011how could i automate the audit of computer's hardwares present in network?
View 1 Replies View RelatedOpenSUSE Install :: Audit And Delete Unwanted Rpm Packages?
Jul 7, 2010how to audit and delete unwanted rpm packages. how to back up repository list from YaST2.
View 5 Replies View RelatedRed Hat / Fedora :: Excluding Unlink To A Particular File In Audit.rules?
Apr 11, 2011I am running RHEL 5.4 Server (32-bit) and have my audit.rules file set up per a template that I am required to use. There is one particular rule that audit is auditing the unlink of files. With this set, my log files are filling up very fast, as there is a particular app that constantly touches/ deletes a couple of files, which the unlink is catching. Here is the audit rule:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k deleteI commented out the "-S unlink" and my logging returns to normal (as expected). For right now, I was wondering if there was a way to set this rule up to exclude these couple of files from what auditd is capturing?
View 1 Replies View RelatedSecurity :: Audit Daemon Is Not Suspending When /var Partition Is Full?
Aug 20, 2010I ran a test where I filled up the /var partition. The disk_full_action in auditd.conf is SUSPEND. I was expecting to see a message in /var/log/messages to indicate that the audit daemon was suspended because it did not have any space left on the partition.Why didn't I get these messages? Also, how can I tell if the audit daemon is suspended?
View 4 Replies View RelatedSecurity :: Change Location Of Stored Audit Files?
May 5, 2011We have setup a separate partition to keep our audit files, but I am at a loss to figure out how to redirect the log files to be stored there instead of the default.
I am sure it is a simple matter but I have been unable to locate the information.
Security :: Setting Up Several Keys In Audit.rules File?
Mar 16, 2011I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well.
[code]....
Software :: Rsh On Fedora 9: Error Sending Audit Event
Jul 20, 2010I am using fedora 9, with kernel version 2.6.25-14.fc9.i686. I installed rsh-server. My configurations (with firewalls off)were:
1. In /etc/xinetd.d/rsh made "disable = yes" to "disable = no"
2. In /etc/securetty included the lines rsh and rlogin
3. By switching to user 'user1', in /home/user1/.rhosts included ip address of remote machine and issued 'chmod 400 /home/user1/.rhosts'
4. restarted xinetd service
When I issue the following from remote machine rsh <ip address> -l user1 ls it fails saying 'Error sending audit event.' In 'tail -f /var/log/messages' I could see the error dump
socket bind: Invalid argument (errno = 22) Error sending audit event.
OpenSUSE Network :: Audit Original User That Changed File After Su?
Jul 22, 2010Need to track which users are making changes to production files. I have a small number of administrators with access to su, but need to be able to identify which administrator is making changes to which files after they have su.I have read several post and articles regarding auditd tool, but it is not clear to me whether this tool can generate a log that shows the original user and file being altered.
View 3 Replies View RelatedServer :: Audit System Is In Immutable Mode - No Rules Loaded
Nov 23, 2010I have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...
Stopping auditd: [ OK ]
Error deleting rule (Operation not permitted)
Starting auditd: [ OK ]
The audit system is in immutable mode, no rules loaded
A tail of my /var/log/messages shows this...
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/"
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/"
Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262
Nov 23 16:45:18 hostname audispd: af_unix plugin initialized
Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins
Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)
Software :: Audit Tool In System To Count Number Of Times It Run?
Dec 30, 2009I'm the POC for all my families Linux computers. Is it possible to get statistics on which programs are accessed, how frequently, for how long and by which user?
When it comes time to upgrade it would be useful so I know which programs to concentrate my testing. I usually just e-mail and ask but every time people forget to send me the programs they actually use.
Security :: Audit.rules Does Not Retain Certain Settings After Reboot Or Service Restart?
Jan 11, 2011I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.
View 6 Replies View RelatedRed Hat :: NISPOM Audit Requirement - Failed Access To Objects - Won't Work-RHEL5 Update1
May 14, 2009The Defense Security Services' (DSS) National Industrial Security Program Operating Manual (NISPOM) require collection of specific audit events.
System Access: (This works)
Unauthorized File Access: (This does not work)
I need to be able to ausearch and find if any of the above failed attempts exist. However, upon testing any and all of the above, a failed audit does not appear in the /var/log/audit/audit.log file. Supposedly, the nispom.rules file that comes with Red Hat is designed to accomplish this requirement.
The nispom.rules file was copied from /usr/share/doc/audit-1.5.5/nispom.rules to /etc/audit/audit.rules and has NOT been modified.
Our audit version is: audit-1.5.5-7.el5. We verified that the audit.rules files is being read by placing a syntax error in the file. An error message was returned which confirms that the file is being read.
Fedora :: Corresponding Commands Like Ubuntu In 15?
Aug 27, 2011I'm new in Fedora 15 and i like it! In Ubuntu it have some command to clean system,deb packge,etc like:
Code:
I know the last
Code:
Ubuntu :: Crontab Commands Won't Run?
Jan 21, 2010Edit: commands like Firefox works after I set it to display properly. I still can't get personal scripts to run, though.I can't seem to get crontab to run my commands. I add
Code:
* * * * * /home/username/script
but it doesn't seem to work. The script works itself in the shell
Ubuntu :: Commands To Install KDE?
May 6, 2010I installed KDE on my ubuntu 10.04 yesterday, and I tried to login afterwards. The initial page is shown when KDE detects hard disk and other devices, but after it shows hard disk, a black screen is shown for few seconds and it jumps back to login screen. I tried these commands to install KDE,Code:sudo apt-get install kubuntu-desktop Code:sudo apt-get install kde-standard Neither works.
View 1 Replies View RelatedUbuntu :: Vi Editor Commands Not Available?
Jul 25, 2010i have ubuntu installed and vi version==version 7.2.79 but when i trying to use commands in vi most of them are not working. i am refering :[URL]..to execute command in vi.
View 1 Replies View RelatedUbuntu :: Where To Get Erminal Commands?
Mar 1, 2011I was wondering if somebody could possibly list some useful/essential Terminal commands that would benefit me: and maybe a brief explanation of their function?
If not, is there a page you could direct me to that would teach what I asked for above?
Ubuntu :: Export The Last 10-15 Commands?
Mar 3, 2011How do I export the last 10-15 commands that I typed into the command line?
I want to keep a record of what I have done in my lab book.
Ubuntu :: Cannot Run Any X-commands Successfully?
May 28, 2011I had ubuntu working fine, but then I started tinkering with the DISPLAY variable and maybe some other xserver setting, and now the system is stuck at the login screen.If I type in my password and hit enter,it will go to a black screen, and then go back to the login screen.When I enter console mode with control-alt-F1, I can login fine, but I cannot run any x-commands successfully.
$ startx gives the error:xauth: error in locking authority file /home/system/.Xauthority
xauth: error in locking authority file /home/system/.Xauthority
Fatal server error:Server is already active for display 0.If this server is no longer running, remove /tmp/.X0-lock and start again
Please consult the The X.Org Foundation support at http://wiki.x.org for help
ddxSigGiveUp: Closing log
No Protocol specified
xinit: giving up
xinit: unable to connect to X server: Connection refused
xinit: server error
xauth: error in locking authority file /home/system/.Xauthority
I removed that file as directed, but it didn't fix anything
$ gdm gives the error:
** (gdm-binary:1668 ): WARNING **: Failed to acquire org.gnome.DisplayManager: Connection ":1.36" is not allowed to own the service "org.gnome.DisplayManager: due to security policies in the configuration file
** (gdm-binary:1668 ): WARNING **: Could not acquire name; bailing out
I've tried running the command:$ sudo dpkg-reconfigure xserver-xorg,but it didn't change anything
Ubuntu :: Run PHP Commands With XAMPP?
Jun 16, 2011I'm not quite sure where I should post this but here goes.. I installed XAMPP, and got it running but I'm not too sure on how I should be able to run PHP commands? As in the command line?
View 9 Replies View RelatedUbuntu :: How To See CLI Commands Installed On OS
Aug 12, 2011Is this part of forum the correct where I'm asking about terminal? Why is not any tunnel specified for terminal/console in this forum?
1. How can I find tutorials for below special characters, which use into terminal:
Code:
~ ^ * _ - + ; : ? ' " ! @ # $ % & {} [] () <> / | ./ Space-bar Tab-Key Return
on web or through the man pages into terminal?
2. How can I copy/print my CLI commands list (default+installed) that comes with "man <Tab> <Tab>" or other man pages that are shown in several pages within terminal/console?