Hi! I was using auditbeat to connect to the audit kernel module and get
filesystem operations events from it. However, as I discussed in another
thread, it seems that the audit events kernel queue is buggy in kernel 3.1,
the kernel version available on CentOS 7. This means that if
auditbeat
OM> Perhaps a shell alias? What does `type rm` say?
# type rm
rm is aliased to `rm -i'
Thanks!
On Thu, Mar 18, 2021 at 5:01 PM Ondrej Mosnacek wrote:
> On Thu, Mar 18, 2021 at 8:32 PM Alan Evangelista
> wrote:
> > I'm trying to audit commands run in bash, including the comma
I'm trying to audit commands run in bash, including the commands arguments.
The proctitle parameter in the PROCTITLE record seems to be the most
reliable source to get that, but it does not contain exactly the "rm"
command I have typed on bash. Example:
1) rm /data/test2,txt -f
type=SYSCALL
AV> I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
> test the backlog, but it seems it's not working at all.
RB> Which minor version of CentOS7 is this?
7.9.2009 (latest CentOS 7 version)
--
Linux-audit mailing list
Linux-audit@redhat.com
PM> The audit queue mechanism (backlog) was pretty messed up in older
kernels, and while we've fixed it in modern kernels, I believe that
not all of the changes have been backported to the older distribution
kernels.
Do you know in which kernel version this mechanism was fixed?
This information
RB> since you haven't indicated if you have tried and
> tested this already, please start by running those
> simple commands while the auditd service is running
> and verifying that those commands do get logged as
> expected. If they don't, fix that first.
The commands are
AFAIK, the purpose of the backlog (a queue of audit events in the kernel)
is to assure no events are lost when events are generated at a faster speed
than they are consumed.
I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
test the backlog, but it seems it's not working at
uot; while creating new audit
rules.
On Wed, Mar 10, 2021 at 4:06 PM Steve Grubb wrote:
> On Wednesday, March 10, 2021 5:53:42 AM EST Alan Evangelista wrote:
> > OM> Not sure if this is it, but there is a "-" missing before the "S"
> > before "renameat2&
OM> Not sure if this is it, but there is a "-" missing before the "S" before
"renameat2".
This was indeed the issue. I found our that was the issue when I ran
"auditctl -l". Thank you.
Is there any reason why augenrules and auditctl -R don't print errors to
stdout when rules parsing errors
I have the following audit rule:
-a exit,always -F dir=/data -F arch=b64 -S open -S unlink -S unlinkat -S
link -S rename -S renameat S renameat2 -S chmod -S fchmod -S fchmodat -S
chown -S fchown -S fchownat -S mkdir -S rmdir -S setxattr -S lsetxattr -S
fsetxattr -S removexattr -S lremovexattr -S
If I run the rmdir command with a directory path with a slash at its end,
Audit doesn't record the deleted directory path.
Audit rule:
-a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S
unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S
renameat -S
rations on the Windows
side.
On Sat, Feb 27, 2021 at 6:44 PM Richard Guy Briggs wrote:
> On 2021-02-26 22:17, Alan Evangelista wrote:
> > Each syscall has some arguments and the Linux Audit framework logs each
> > pointer argument as a memory address instead of its values. For instan
Each syscall has some arguments and the Linux Audit framework logs each
pointer argument as a memory address instead of its values. For instance,
when tracking the setxattr syscall, I get its arguments in the following
format:
"a0":"55f3604ba000"
"a1":"7f1b0bd342fd"
"a2":"55f3604d9b20"
"a3":"38"
13 matches
Mail list logo