On Wednesday, July 13, 2016 3:22:01 PM EDT Chris Nandor wrote:
> The buffering appears to be on the client side, because if I restart the
> server's auditd, those lines are not lost: they still appear in the remote
> log ... but not until the next time I run `sudo ls` on the client side.
>
> This
On Thu, Jul 14, 2016 at 4:18 PM, William Roberts
wrote:
>
>
> On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore wrote:
>
>> On Thu, Jul 14, 2016 at 3:29 PM, wrote:
>> > From: William Roberts
>> >
>> > ioctlcmd is currently printing hex numbers, but their is no leading
>> > 0x. Thus things like ioct
On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore wrote:
> On Thu, Jul 14, 2016 at 3:29 PM, wrote:
> > From: William Roberts
> >
> > ioctlcmd is currently printing hex numbers, but their is no leading
> > 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> > not evident.
> >
> > Corr
On Thu, Jul 14, 2016 at 3:29 PM, wrote:
> From: William Roberts
>
> ioctlcmd is currently printing hex numbers, but their is no leading
> 0x. Thus things like ioctlcmd=1234 are misleading, as the base is
> not evident.
>
> Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
> ioctlc
On Thu, Jul 14, 2016 at 10:59 AM, Steve Grubb wrote:
> Fix the whitespace in the CWD record
>
> Signed-off-by: Steve Grubb
> ---
> kernel/auditsc.c |2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Generally I don't like merging patches this late, but this patch is so
trivial I'll make
Ah, I see. I didn't get that it was sudo itself doing it (assuming it was
linked to libaudit). Yes, in 12.04, libaudit is not part of the base
system. I've tried it in a vagrant box under 16.04, ldd reports libaudit
is linked, and it works fine there.
I think we'll just skip pam_tty_audit (sinc
On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> So how do I get it then?
You just run a command under sudo and it does it. There is a chance that your
copy of sudo does not have auditing enabled. You can try using ldd to see if
its linked to the audit libraries. If not, then its
So how do I get it then? I found a 9-year old mail from you about bash --audit
and aubash but that isn't working for me.
> On Jul 14, 2016, at 12:06, Steve Grubb wrote:
>
>> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
>> Sorry, I guess I should have been more clear ... what
On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> Sorry, I guess I should have been more clear ... what sort of rule would
> make it show up? I'm not seeing it.
Its hardwired. You don't need to add a rule. The rules that you add always
result in SYSCALL events. You should also add
Hi All,
Please ask me one question regarding about of RHEL security. To hack RHEL
root privilege is possible or not ? Even this system didn't try to patch
update CVE,RHSA and so on.
Thanks in advance for your feedback.
All the best,
-Aung
On Thu, Jul 14, 2016 at 10:30 PM, wrote:
> Send Linu
Sorry, I guess I should have been more clear ... what sort of rule would
make it show up? I'm not seeing it.
On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb wrote:
> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > How does one get USER_CMD records into the audit.log?
>
> The su
On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> How does one get USER_CMD records into the audit.log?
The sudo command is the usual way.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
How does one get USER_CMD records into the audit.log?
--Chris
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thursday, July 14, 2016 6:10:00 PM EDT Mateusz Piotrowski wrote:
> Hello,
>
> Thank you for your reply! It is absolutely amazing. It clarified a lot.
>
> >> b) Why do some records are separated by a comma and a
> >>
> >> whitespace? Example:
> >>type=DAEMON_START msg=audit(1363713
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Correct the header length for dispatched events
- Revise buffer handling in auditd to fix dispatched events
- Fix spe
Hello,
Thank you for your reply! It is absolutely amazing. It clarified a lot.
>> b) Why do some records are separated by a comma and a
>> whitespace? Example:
>>
>>type=DAEMON_START msg=audit(1363713609.192:5426): auditd start,
>> ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64
Fix the whitespace in the CWD record
Signed-off-by: Steve Grubb
---
kernel/auditsc.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -urp linux-4.7.0-0.rc4.git1.1.fc23.x86_64.orig/kernel/auditsc.c
linux-4.7.0-0.rc4.git1.1.fc23.x86_64/kernel/auditsc.c
--- linux-4.7.0-0.rc4.git1.1.
17 matches
Mail list logo