Thank you Steve. That is very helpful. Have a nice weekend.
Warron French, MBA, SCSA
-Original Message-
From: Steve Grubb [mailto:sgr...@redhat.com]
Sent: Friday, April 29, 2016 3:18 PM
To: Warron S French
Cc: linux-audit@redhat.com
Subject: Re: audit review question
On Thursday, A
We're sysloging to a hosted search provider (somewhat like Splunk). They
don't currently support automatic auditd log parsing. However, we have
written custom scheduled alerts based on the syscalls we're logging.
I believe someone also posted a Splunk auditd app a while back.
https://splunkbase.s
On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote:
> If I centralize audit logging through rsyslog, and I have each of the remote
> machines' /etc/rsyslog.conf to use the same generic audit.log file name
> instead of customizing the audit logs with something like;
> HOSTNAME-audit.log,
On Thursday, April 28, 2016 03:50:33 PM Warron S French wrote:
> Steve, thanks for your replies to all of my questions.
>
> Can you please send me a walk through document for trying to send the 6
> workstations and 1 servers audit-data into the same directory structure?
> Something that will defi
2016.04.29 21:48, Steve Grubb rašė:
No, there is no such file at all, and shouldn’t be, but apache2 tries to
check it, hence success=0 case is spammed into then logs.
Normally ENOENT failures are not a security concern. Normally EACCES and EPERM
are what attempted security policy violations ret
On Friday, April 29, 2016 09:16:17 PM Vincas Dargis wrote:
> 2016.04.29 21:00, Steve Grubb rašė:
> > On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
> >> When playing/learning with auditd, I wanted to log events when apache
> >> fails to access file.
> >>
> >> Here's the rules I used in
2016.04.29 21:00, Steve Grubb rašė:
On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
Hi,
When playing/learning with auditd, I wanted to log events when apache fails
to access file.
Here's the rules I used in Debian Wheezy (same on Jessie and and current
latest Testing):
-a exit,neve
On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
> Hi,
>
> When playing/learning with auditd, I wanted to log events when apache fails
> to access file.
>
> Here's the rules I used in Debian Wheezy (same on Jessie and and current
> latest Testing):
>
> -a exit,never -F arch=b64 -S stat
Hi,
When playing/learning with auditd, I wanted to log events when apache fails to
access file.
Here's the rules I used in Debian Wheezy (same on Jessie and and current latest
Testing):
-a exit,never -F arch=b64 -S stat -F path=/var/www/server-status -k web
-a exit,always -F arch=b64 -S stat
2016.04.29 18:41, Richard Guy Briggs rašė:
You are welcome to your rant. I quite like mailing lists and IRC. I
hate most other social media and forums. What do you suggest instead?
Hi,
I guess it's plain personal preference, but I just get annoyed once I have to
deal with lists. That's why
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix memory leak caused by unneeded reference in auparse python bindings
- Revise function hiding technique to better
On Friday, April 29, 2016 07:07:06 PM Vincas Dargis wrote:
> 2016.04.29 16:39, Steve Grubb rašė:
> > You'll have to ask the AppArmor folks. I gave them a whole block of
> > numbers to use for their own purposes so that we don't have any problems.
> > If they instead create malformed SE Linux events
2016.04.29 16:39, Steve Grubb rašė:
You'll have to ask the AppArmor folks. I gave them a whole block of numbers to
use for their own purposes so that we don't have any problems. If they instead
create malformed SE Linux events, then things will never work right unless
they patch them.
Thank you
On 16/04/29, Vincas Dargis wrote:
> P.S. How do I actually reply to original thread that I did not
> received, since I just subscribed? I though I could maybe find raw
> message in archive https://www.redhat.com/archives/linux-audit/ but
> there aren't (no such message in 2014-May/Jun gz) . Oh how
On 16/04/29, Deepika Sundar wrote:
> Thank you
> From init pid namespace How we can access the child pid-namespace PID's?
There are a number of helper functions and macros referenced in
include/linux/sched.h starting with task_pid() and following and in
kernel/pid.c and include/linux/pid.h. Some
Thank you
>From init pid namespace How we can access the child pid-namespace PID's?
On 29-Apr-2016 7:33 pm, "Richard Guy Briggs" wrote:
> On 16/04/29, Deepika Sundar wrote:
> > Thank You for the valuable Response RGB.
> >
> > As you mentioned in the above statement is what I was looking for, "The
On 16/04/29, Deepika Sundar wrote:
> Thank You for the valuable Response RGB.
>
> As you mentioned in the above statement is what I was looking for, "There
> is a mapping from the PID in the initial PID namespace to its PID in a
> child PID namespace".
> As per your context, Is it initial PID name
On Friday, April 29, 2016 10:03:02 AM Vincas Dargis wrote:
> There was email about fixing ausearch for AppArmor:
>
> https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html
>
> Is there any progress regarding that issue?
You'll have to ask the AppArmor folks. I gave them a whole block
Hi,
There was email about fixing ausearch for AppArmor:
https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html
Is there any progress regarding that issue?
I have tried to search for AVC on Debian Testing (auditd 2.4.5), and
it fails to "grep" me AppArmor related events.
P.S. How do
19 matches
Mail list logo
