Super User
Super User

Questions tagged [auditd]

auditd is the linux operation for writing logs to the Linux Auditing System.

From auditd - Linux man page

Name

auditd - The Linux Audit daemon Synopsis

auditd [-f] [-l] [-n] [-s disable|enable|nochange]

auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

29 questions
14
votes
1 answer

How to stop journalctl showing audit logs and only keep it in a file?

I would like to have all auditd logs only in it's own log file and keep my journalctl view less polluted with events that most of the time, are generated by my own actions (single-user/personal computer). I've found how to either completely disable…
Wereii
  • 418
4
votes
0 answers

How to get persistent audit logs?

I am currently trying to figure out which application is creating a mysterious socket file called "no" in my home directory. It happens only every few weeks, that is why I have setup auditd with the following rule in /etc/audit.d/rules.d/no: # This…
Philipp Ludwig
  • 97
3
votes
1 answer

How to enable systemd's journal audit transport?

I have been studying logging on Linux but I have come to a road-block that's got me stuck for the past few days. My goal is to forward logs from two raspberry pi 3's running OpenSUSE Tumbleweed (aarch64) to my laptop running Ubuntu 17.04. I'm using…
Edge-Case
  • 53
2
votes
2 answers

Auditd - auditctl rule to monitor dir only (not all sub dir and files etc..)

I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule, it monitors the directory I specified, but also all the subdirectories and files underneath it, making the monitoring useless due to endless…
superuseroi
  • 281
2
votes
0 answers

How to determine what script is deleting files in Linux?

I run a Plex Media Server (PMS) on a ubuntu 22.04 system. There's been no update to the PMS libraries for a while, and I recently started adding a few movies to the collection. But what I've found is that within a few hours of adding a…
Dennis
  • 225
1
vote
0 answers

how to record all who that login to my linux machines and records them

I installed the package audit on my linux red-hat 6.x machine in order to view the recored of each user that log to my linux machine yum install audit kit installation from:…
maihabunash
  • 489
  • 2
  • 6
  • 16
1
vote
0 answers

Selinux policy to allow all access to script or to not log anything done by this script

I have a bash script running every 5 minutes in cron, that basically runs some commands like: mkdir, top, grep, date, wait, sleep, jstack. It runs on user bob. It generates a lot of logs and I want to filter it out from auditd. This script has to…
VenomousDuck
  • 11
1
vote
0 answers

Partition keeps getting corrupted. How to prevent or boot anyway?

I am running RHEL7, and my audit log partition randomly (not often, but often enough to annoy me) gets corrupted, preventing me from booting. How can I either prevent the partition from being corrupted, or ignore it and allow the system to continue…
dberm22
  • 113
  • 1
  • 8
1
vote
0 answers

AuditD - right usage and syntax of -q flag in rules

I would like to use -q flag in auditd rule, but the rule with the -q flag is not working or even added into the rules list. I have rule like this: -a always,exit -F path=/home/lukashubl/ -q /home/lukashubl/dirtest,/home/lukashubl/dirtest/bin -F…
lukas.hubl
  • 11
1
vote
1 answer

How to configure Auditd to see directory name change?

In my /etc/audit/audit.rules, I have the following watch: -w /some/place/special -p rwxa -k my_key On my filesystem, I have the following tree: /some/place/special/foo/test-rename/james/sub-subdirectory1/a_file ...but no event is showing up in the…
Bill
  • 11
  • 1
1
vote
1 answer

RH / OL 6 auditd login user not audited

I want to audit all commands on Linux servers. We all have our own login accounts to do things but sometimes we need root access. That's no problem. But when logging in with my user my actions aren't logged. Any user I login with doesn't seem to be…
S.J.
  • 13
1
vote
1 answer

auditctl: Syscall name unknown: socket

I have my original Problem discribed here: https://serverfault.com/questions/958571/what-these-dns-queries-means. It's about UDP packets, the origin of which I can not determine. To solve the problem I have followed the advice of user @A.B and…
klpu39
  • 23
1
vote
1 answer

Why does `tail -f /var/audit/current | praudit` just print 5 lines and exit immediately?

I want to follow my audit log live so I can watch for events, and pipe it through praudit to make it human readable. All commands below are run as root. When I run tail -f /var/audit/current | praudit is just prints the last 5 lines and immediately…
Sam Salisbury
  • 111
1
vote
1 answer

How to Watch All Directories(Includes All Subdirectories) using Auditd?

Im using a rule in auditd which is: -w /etc -p wa -k watch_etc But upon checking the report using ausearch -k watch_etc -ts today | aureport -f -i I can't seem to find the changes I've made in the directory /etc/auditd/rules.d/. However, creating a…
Gilroy
  • 111
1
vote
0 answers

centos7 what is the best value of audit.rules

I am now suffered with audit : backlog limit exceeded. I found some articles with similar situation and they said adjust audit log count with audit.rules. Here is my audit.rules ## This file is automatically generated from /etc/audit/rules.d -D -b…
Juneyoung Oh
  • 687
1
2