On Monday, June 12, 2017 10:35:37 PM EDT Richard Guy Briggs wrote:
> Linux kernel capabilities were augmented to include ambient capabilities in
> v4.3 commit 58319057b784 ("capabilities: ambient capabilities").
>
> Add interpretation types for cap_pa, old_pa, pa.
>
> The record contains fields "
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add config option to auditd to not verify email addr domain (#1406887)
- When auditd forwards events to disptcher, ca
On Saturday, September 9, 2017 4:41:19 PM EDT Laurent Bigonville wrote:
> Le 09/09/17 à 16:22, Steve Grubb a écrit :
> > On Saturday, September 9, 2017 6:02:02 AM EDT Laurent Bigonville wrote:
> >> Le 11/07/17 à 00:23, Paul Moore a écrit :
> >>> On Mon, Jul 10, 2017
On Saturday, September 9, 2017 6:02:02 AM EDT Laurent Bigonville wrote:
> Le 11/07/17 à 00:23, Paul Moore a écrit :
> > On Mon, Jul 10, 2017 at 4:01 PM, Laurent Bigonville
wrote:
> >> Le 10/07/17 à 18:00, Paul Moore a écrit :
> >>> On Mon, Jul 10, 2017 at 10:59 AM, Laurent Bigonville
> >>>
> >>
On Thursday, September 7, 2017 6:32:39 PM EDT Steve Grubb wrote:
> On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> > I got only following SYSCALL record in audit log for 'touch -t ' command,
> > no CWD, no PATH record
>
> Out of curiosity, w
On Friday, September 8, 2017 4:41:47 AM EDT Richard Guy Briggs wrote:
> On 2017-09-07 18:32, Steve Grubb wrote:
> > On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> > > I got only following SYSCALL record in audit log for 'touch -t '
> >
On Wednesday, September 6, 2017 6:03:18 AM EDT Lev Olshvang wrote:
> I got only following SYSCALL record in audit log for 'touch -t ' command, no
> CWD, no PATH record
Out of curiosity, what kind of rule were you using?
> type=SYSCALL msg=audit(1503837757.149:266995):
> arch=c03e syscall=280
On Thursday, September 7, 2017 4:04:39 AM EDT Maupertuis Philippe wrote:
> > -Original Message-
> > From: Steve Grubb [mailto:sgr...@redhat.com]
> > Sent: Wednesday, September 06, 2017 8:13 PM
> > To: linux-audit@redhat.com
> > Cc: Maupertuis Philippe
>
Hello Jan,
> > On Thursday, September 7, 2017 6:18:05 AM EDT Jan Kara wrote:
> On Wed 06-09-17 13:34:32, Steve Grubb wrote:
> > On Wednesday, September 6, 2017 12:48:21 PM EDT Jan Kara wrote:
> > > On Wed 06-09-17 10:35:32, Steve Grubb wrote:
> > > > On Wednesd
On Wednesday, September 6, 2017 9:42:53 AM EDT Maupertuis Philippe wrote:
> Hi,
> The examples found in the audit documentation mention that to work it is
> assumed that no direct root login is allowed. This very sensible and not a
> big problem except for console access.
Why is it a problem for c
Hello Jan,
On Wednesday, September 6, 2017 12:48:21 PM EDT Jan Kara wrote:
> On Wed 06-09-17 10:35:32, Steve Grubb wrote:
> > On Wednesday, September 6, 2017 5:18:22 AM EDT Jan Kara wrote:
> > > Or is it that for CCrequirements you have to implement some deamon which
> >
On Wednesday, September 6, 2017 7:11:48 AM EDT Amir Goldstein wrote:
> On Wed, Sep 6, 2017 at 12:18 PM, Jan Kara wrote:
> > On Tue 05-09-17 14:32:07, Steve Grubb wrote:
> >> The fanotify interface allows user space daemons to make access
> >>
> >> cont
On Wednesday, September 6, 2017 5:18:22 AM EDT Jan Kara wrote:
> On Tue 05-09-17 14:32:07, Steve Grubb wrote:
> > The fanotify interface allows user space daemons to make access
> >
> > control decisions. Under common criteria requirements, we need to
> > optionall
On Tuesday, September 5, 2017 11:24:49 PM EDT Richard Guy Briggs wrote:
> On 2017-09-05 14:32, Steve Grubb wrote:
> > The fanotify interface allows user space daemons to make access
> >
> > control decisions. Under common criteria requirements, we need to
> > option
The fanotify interface allows user space daemons to make access
control decisions. Under common criteria requirements, we need to
optionally record decisions based on policy. This patch adds a bit mask,
FAN_AUDIT, that a user space daemon can 'or' into the response decision
which will tell the
On Friday, September 1, 2017 8:58:47 AM EDT Maupertuis Philippe wrote:
> The 30-pci-dss-v31.rules in the doc directory contains the following
> statement : ## 10.2.6 Verify the following are logged:
> ## Initialization of audit logs
> ## Stopping or pausing of audit logs.
> ## These are handled imp
On Wednesday, August 30, 2017 10:22:43 AM EDT Steve Grubb wrote:
> Hello Philippe,
>
> Thanks for reporting this (and the other bug which is in my queue to work
> on).
> On Wednesday, August 30, 2017 3:56:10 AM EDT Maupertuis Philippe wrote:
> > Hi
> > On a new redhat
Hello Philippe,
Thanks for reporting this (and the other bug which is in my queue to work on).
On Wednesday, August 30, 2017 3:56:10 AM EDT Maupertuis Philippe wrote:
> Hi
> On a new redhat 7.4, passwd -S to check the status of a user generates the
> following event : node=x type=USER_CHAUTH
On Tuesday, August 15, 2017 11:37:19 AM EDT Amir Goldstein wrote:
> > So, there is some utility to having the application stopped so that the
> > daemon can do its checks but then throw away the answer so that more of
> > the policy can be verified.
> >
> >> *if* at all this method is acceptable o
On Tuesday, August 15, 2017 6:19:50 AM EDT Amir Goldstein wrote:
> On Mon, Aug 14, 2017 at 5:04 PM, Steve Grubb wrote:
> > Hello,
> >
> > The fanotify interface can be used as an access control subsystem. If
> > for some reason the policy is bad, there is potentially
Hello,
The fanotify interface can be used as an access control subsystem. If
for some reason the policy is bad, there is potentially no good way to
recover the system. This patch introduces a new command line variable,
fanotify_enforce, to allow overriding the access decision from user
space. The
Hello,
On Monday, August 7, 2017 11:25:38 AM EDT Maupertuis Philippe wrote:
> With Rhel 7.4 just out, I am giving a try at the new audit.
> Something seems strange to me.
> With the default log_format = RAW in auditd.conf, I get the node= parameter
> right in rsyslog (through the syslog plugin). I
find out who's doing it.
Also, how do you know that auditd is restarted? Are you judging by syslog or
audit logs?
-Steve
> On Fri, Aug 4, 2017 at 3:31 PM, Steve Grubb wrote:
> > On Thursday, August 3, 2017 5:12:39 PM EDT warron.french wrote:
> > > I am running RHEL 7 Server
On Thursday, August 3, 2017 5:12:39 PM EDT warron.french wrote:
> I am running RHEL 7 Server so that I can also run Red Hat Satellite.
>
> I seem to be having resource contention problems and auditd is a part of
> the problem consuming up to 22.0% according to results of the *top* command.
I'd be
.com/linux-audit/audit-kernel/issues/48
> > Signed-off-by: Richard Guy Briggs
>
> Acked-by: Stephen Smalley
Yeah, I guess it can be deleted.
Acked-by: Steve Grubb
> > ---
> > security/selinux/avc.c |2 --
> > 1 files changed, 0 insertions(+), 2 deletions
On Friday, July 28, 2017 3:23:31 AM EDT Richard Guy Briggs wrote:
> In the process of normalizing audit log messages, it was noticed that the
> AVC initialization code registered an audit log KERNEL record that didn't
> fit the standard format. In the process of attempting to normalize it it
> was
On Wednesday, July 26, 2017 6:36:24 PM EDT Paul Moore wrote:
> On Tue, Jul 25, 2017 at 10:51 PM, Richard Guy Briggs wrote:
> > On 2017-07-25 14:14, Paul Moore wrote:
> >> On Mon, Jul 24, 2017 at 11:48 PM, Richard Guy Briggs
wrote:
> >> > On 2017-07-24 11:52, Steve
Hello Richard & Paul,
I have been noticing something lately. I have applications that crash and I
get a notification from abrtd but when I go looking, there is no matching
ANOM_ABEND records. This is one a 4.11.11 kernel.
The purpose of the ANOM_ABEND record is to indicate that a program has cr
On Monday, July 24, 2017 10:40:08 AM EDT Richard Guy Briggs wrote:
> Add a column to indicate the source of the message, including indicating
> whether or not it is related to syscalls.
>
> Column name: SOURCE
> Key:
> CTL Control messages, usually initiated by audit daemon.
Most of t
On Thursday, July 20, 2017 4:06:48 AM EDT Peter KRIVANSKY wrote:
> Hello together,
>
> I am writing to this mailing list as I have not found any working solution
> online.
> We use the audit with ENRICHED log_format, but we see lots of
> parameters not being decoded from HEX, Here are the auditd s
syscall record
attached. They also never have a key field.
-Steve
> On Fri, Jul 14, 2017 at 4:46 PM, Steve Grubb wrote:
> > On Friday, July 14, 2017 3:51:16 PM EDT warron.french wrote:
> > > Back to this again, as I thought my coworker had addressed it months
> > &g
On Friday, July 14, 2017 4:52:36 PM EDT warron.french wrote:
> Same as AUDIT(B) only for roles and groups?
Also hardwired. See the user account specification.
-Steve
> Simply put a watch rule on /etc/group and /etc/gshadow?
>
> Is that really enough? Do I also monitor the executables for /bin/
On Friday, July 14, 2017 4:48:11 PM EDT warron.french wrote:
> Similar idea to the prior email:
>
> I need to monitor local user account
>
>
> *creation, modification, deletion, suspension and locking.*
These events are all hardwired too. The events that you are looking for are
part of this sp
On Friday, July 14, 2017 3:51:16 PM EDT warron.french wrote:
> Back to this again, as I thought my coworker had addressed it months ago,
> but he did not as I cannot find anything.
>
> *THE_SUBJECT*: Auditing Logons and Logoffs (success/failures)
>
> I am aware of the following files:
> /var/log/f
On Thursday, July 13, 2017 4:54:39 PM EDT Richard Guy Briggs wrote:
> In the process of creating/updating the audit message/record type
> dictionary, I stumbled on the following two message types missing from
> ausearch -m text:
>
> This one is in the userspace header file. What is its meaning an
On Thursday, July 13, 2017 4:51:04 PM EDT Richard Guy Briggs wrote:
> In the process of updating the audit message type dictionary, I came
> across a couple of differences I wanted to clear up.
>
> The descriptions in the userspace header file don't obviously line up
> with another source. Can I
Hello,
On Tuesday, June 20, 2017 12:28:16 PM EDT Vincas Dargis wrote:
> 2017.06.19 23:55, Steve Grubb rašė:
> > I have released the audit-explorer shiny app that I have been demo'ing
> > this spring:
> >
> > https://github.com/stevegrubb/audit-explorer
>
>
Hello,
I have released the audit-explorer shiny app that I have been demo'ing this
spring:
https://github.com/stevegrubb/audit-explorer
I have been talking about some of the concepts in it from my blog. But this is
much more interesting because its fully interactive.
Enjoy...
-Steve
--
Linu
e when adding PATH auxiliary records to SYSCALL
> events. This is the filesystem filter. This is used to ignore PATH records
> that are not of interest. .LP
>
> .PP
> diff --git a/lib/errormsg.h b/lib/errormsg.h
> index 91d8252..ef54589 100644
> --- a/lib/errormsg.h
> +++
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Make ausearch a little more robust to bad time values
- Aureport's login report was corrected to print the loginuid (
On Wednesday, June 14, 2017 12:30:26 PM EDT Richard Guy Briggs wrote:
> SessionID support was added in audit-userspace 2.7, commit:
> 5d89887 2016-10-19 ("In libaudit, add support for rules using sessionid")
>
> The auditctl(8) manpage update was missed at that time. Add it.
>
> See: https://gith
Hello,
On Monday, June 12, 2017 10:45:50 PM EDT Richard Guy Briggs wrote:
> On 2017-06-12 20:28, Steve Grubb wrote:
> > This patch needs to be refactored to match the current count of error
> > messages in err_msgtab.
> >
> > What error message is emitted when ru
On Tuesday, April 4, 2017 7:58:50 AM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs
> ---
> .gitignore |2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/.gitignore b/.gitignore
> index ba296d3..dc566b9 100644
> --- a/.gitignore
> +++ b/.gitignore
>
On Tuesday, June 13, 2017 3:41:01 PM EDT Richard Guy Briggs wrote:
> Use the newly created error code macros in the error code text translation
> table.
>
> See: https://github.com/linux-audit/audit-userspace/issues/11
Applied. Thanks!
-Steve
> Signed-off-by: Richard Guy Briggs
> ---
> lib/er
On Tuesday, June 13, 2017 2:46:19 PM EDT Richard Guy Briggs wrote:
> > On 2017-06-12 20:05, Steve Grubb wrote:
> > > On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> > > > The exclude rules did not permit a filterkey to be added. This isn't
>
On Monday, June 12, 2017 9:49:24 PM EDT Richard Guy Briggs wrote:
> The file effective capability is a boolean. It is being interpreted as the
> capability "chown" by auparse. Just print its raw value.
Applied. Thanks!
-Steve
> An example from an execve syscall:
> type=BPRM_FCAPS msg=audit(03/
e others need touching up here as
well. But we should say something someone with a casual knowledge of audit
would understand.
> .LP
>
> .PP
> diff --git a/lib/errormsg.h b/lib/errormsg.h
> index 50c7d50..2a6e4d6 100644
> --- a/lib/errormsg.h
> +++ b/lib/errormsg.h
>
On Tuesday, April 4, 2017 6:39:22 AM EDT Richard Guy Briggs wrote:
> The exclude rules did not permit a filterkey to be added. This isn't as
> important for the exclude filter compared to the others since no records are
> generated with that key, but still helps identify rules in the rules list
>
On Tuesday, April 4, 2017 6:38:41 AM EDT Richard Guy Briggs wrote:
> Call errormsg after processing filterkey to speed up debugging.
Applied. Thanks!
-Steve
> See: https://github.com/linux-audit/audit-userspace/issues/13
>
> Signed-off-by: Richard Guy Briggs
> ---
> src/auditctl.c |4 +++-
Hello,
On Monday, June 12, 2017 10:20:15 AM EDT John Petrini wrote:
> We have a need to monitor voicemail directories for any sort of access.
> Basically there is only one application that should be accessing the files.
> If anything else accesses the files we need to log that.
>
> We setup the f
Hello,
On Thursday, June 8, 2017 9:46:48 PM EDT 358123097 wrote:
> Dear Sir/Madam,
>
> Hello, I‘am a Chinese student, now I studying Linux audit and having some
> problems. I want to collect some information from network,such as the
> accessor’s IP and port. I defined a audit rule in machine A as
On Tuesday, May 30, 2017 2:19:09 PM EDT Frederick House wrote:
> Does anyone know the specific changes to libaudit v1 that warranted a major
> version upgrade to v2 (i.e., libaudit.so.0 -> libaudit.so.1)? I'd like to
> understand the major differences without having to diff the source code of
> aud
On Monday, May 29, 2017 11:37:02 AM EDT Richard Guy Briggs wrote:
> Several return codes were overloaded and no longer giving helpful error
> return messages from the field and comparison functions
> audit_rule_fieldpair_data() and audit_rule_interfield_comp_data().
>
> Introduce 2 new macros with
On Monday, May 8, 2017 9:52:00 AM EDT Richard Guy Briggs wrote:
> > > Ok, so coming back to patch acceptance, if I read correctly your
> > > comments, reduce the four new error types to two?
> >
> > Yes, two are needed. One for missing filter/action and one for we are
> > attempting an incompatibl
Hello,
On Tue, 23 May 2017 11:05:18 +0200
Klaus Lichtenwalder wrote:
> Am 19. Mai 2017 23:41:58 MESZ schrieb Stephen Buchanan
> :
> >Agree with Steve's suggestion re: "-S all". Also might help if you
> >sort
>
> I now know where -S all stems from... Some watches add a -S all by
> themselves...
On Saturday, May 20, 2017 9:04:37 AM EDT Lev Olshvang wrote:
> Hello list
>
>
> There are particularly interesting for IDS evens , like ANOM_MK_EXEC ,
This was in the now defunct prelude plugin.
> ANOM_ROOT_TRANS These audit events are listed in RHEL7 Security guide.
Not sure where this one i
On Friday, May 19, 2017 4:22:24 PM EDT Klaus Lichtenwalder wrote:
> (note to moderator: i sent this before from the wrong address, hope it
> doesn't get duplicated)
>
> Hi,
>
> we have a few SAP systems on RHEV (so virtualized on KVM) with >= 74
> CPUs and >= 400G RAM.
> When the system is busy w
On Thursday, May 18, 2017 2:27:11 PM EDT Stephen Buchanan wrote:
> With the caveat that I am perhaps asking the wrong audience, I'm hoping
> that someone has hit this issue before, and possibly solved it.
>
> I've set up a number of servers in my environment to forward all audit log
> entries via
On Tuesday, May 16, 2017 8:54:40 AM EDT Boyce, Kevin P [US] (AS) wrote:
> I'll give that a shot. How do I find out what the supported message types
> are?
ausearch -m x
This will cause ausearch to output an error message that describes the
supported types.
-Steve
> -Original Message-
On Thursday, May 4, 2017 5:05:35 PM EDT Richard Guy Briggs wrote:
> On 2017-05-04 16:49, Steve Grubb wrote:
> > On Thursday, May 4, 2017 4:29:45 PM EDT Richard Guy Briggs wrote:
> > > On 2017-05-04 16:11, Steve Grubb wrote:
> > > > On Tuesday, April 4, 2017 6:37:48 A
On Thursday, May 4, 2017 4:29:45 PM EDT Richard Guy Briggs wrote:
> On 2017-05-04 16:11, Steve Grubb wrote:
> > On Tuesday, April 4, 2017 6:37:48 AM EDT Richard Guy Briggs wrote:
> > > Several return codes were overloaded and no longer giving helpful error
> > > return
On Tuesday, April 4, 2017 6:37:48 AM EDT Richard Guy Briggs wrote:
> Several return codes were overloaded and no longer giving helpful error
> return messages from the field and comparison functions
> audit_rule_fieldpair_data() and audit_rule_interfield_comp_data().
>
> Introduce 3 new macros wit
On Tuesday, April 4, 2017 6:37:47 AM EDT Richard Guy Briggs wrote:
> A number of error message descriptions have drifted from the conditions that
> caused them in audit_rule_fieldpair_data() including expansion of fields to
> be used by the user filter list, restriction to the exit list only and
>
Hello,
On Fri, 21 Apr 2017 16:00:54 +0300
Maria Tsiolakki wrote:
> We have setup the audit log on a Redhat linux 7.3 machine
> We have setup various rules, so far successfully. Our last
> requirement is to have audit log, when a user execute the su - or su
> - root, or sudo su I write the followi
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- In auparse_nomalize, assign user-login as the event kind for AUDIT_LOGIN
- In auparse_normalize, move GRP_AUTH to its
On Friday, April 14, 2017 9:06:53 AM EDT Paul Moore wrote:
> On Thu, Apr 13, 2017 at 6:25 PM, Steve Grubb wrote:
> > On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
> >> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
> >>
> >> wrote:
> &g
On Thursday, April 13, 2017 6:45:55 PM EDT William Roberts wrote:
> On Apr 13, 2017 14:22, "Christian Rebischke"
> wrote:
>
> On Thu, Apr 13, 2017 at 05:05:36PM -0400, Paul Moore wrote:
> > Unless Steve has exclusive administrative access to people.redhat.com
> > (I think it is safe to say he doe
On Thursday, April 13, 2017 5:05:36 PM EDT Paul Moore wrote:
> On Thu, Apr 13, 2017 at 5:00 PM, William Roberts
>
> wrote:
> > Isn't the hash on the https people's page?
No, its on the mail list. The mail list is moderated. Only a handful of people
could post a spoofed message.
> > Which last
On Thursday, April 13, 2017 4:30:57 PM EDT William Roberts wrote:
> On Apr 13, 2017 13:28, "Christian Rebischke"
> wrote:
>
> On Tue, Apr 11, 2017 at 10:03:54AM -0400, Steve Grubb wrote:
> > I added a sha256sum to the release announcement yesterday. You can also
&g
On Thursday, April 13, 2017 4:50:56 AM EDT Richard Guy Briggs wrote:
> > > > >> > I was thinking of a case where the caps actually change, but are
> > > > >> > overridden by the blanket full permissions of setuid.
> > > > >>
> > > > >> If there actually is a change in capability bits besides the
>
On Wednesday, April 12, 2017 2:39:26 AM EDT Richard Guy Briggs wrote:
> On 2017-04-11 17:33, Steve Grubb wrote:
> > On Tuesday, April 4, 2017 6:36:52 AM EDT Richard Guy Briggs wrote:
> > > Convert all the numerical error return codes in comparison option and
> > > fi
On Wednesday, April 12, 2017 3:00:59 PM EDT warron.french wrote:
> Yes, certainly.
>
> I had a 1.7GB messages file in /var/log; so I moved it manually out of the
> way. Then I rebooted.
>
> After doing that, I didn't see anything at all about auditd in the new
> /var/log/messages.
It will proba
On Wednesday, April 12, 2017 2:43:21 AM EDT Richard Guy Briggs wrote:
> On 2017-04-11 15:36, Paul Moore wrote:
> > On Wed, Mar 29, 2017 at 6:29 AM, Richard Guy Briggs
wrote:
> > > On 2017-03-09 09:34, Steve Grubb wrote:
> > >> On Tuesday, March 7, 2017 4:10:49 P
On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> Hello, I am writing a Puppet Module to deliver updates of audit.rules and
> auditd.conf configurations to RHEL6 and RHEL7 machines.
>
> The files are laid down correctly for both RHEL6 and RHEL7 within the
> appropriate directorie
Hello,
On Wednesday, April 12, 2017 9:14:27 AM EDT Maria Tsiolakki wrote:
> I have setup the audit log service (on red hat linux 7.3) and I have
> placed rules such as when a user access a specific directory to log the
> action in the audit log. I want to go a further step, and get an email
> noti
On Wednesday, April 12, 2017 4:28:02 AM EDT Eytan Naim wrote:
> I am currently developing an audisp plugin that should be as effective as
> possible. Therefore, I want to set my own set of filtering rules (2-3
> syscalls) and I don't want to get any other audit events from the audisp
> itself
This
On Wednesday, April 12, 2017 10:18:55 AM EDT warron.french wrote:
> It appears that this directory is not used at all on RHEL6.
>
> I know I have mentioned this before; but it's true. If I *move* my copy of
> audit.rules from /etc/audit into the subdirectory rules.d and restart
> audit; the audit
On Tuesday, April 4, 2017 6:36:52 AM EDT Richard Guy Briggs wrote:
> Convert all the numerical error return codes in comparison option and field
> option parsing routines audit_rule_interfield_comp_data() and
> audit_rule_fieldpair_data() to descriptive macros for easier code navigation
> and verif
Hello,
When I run across a seccomp event, does it always mean that the syscall
failed? Is there any possibility that the syscall may have continued (such as
while being traced)?
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Tuesday, April 11, 2017 6:44:13 AM EDT Christian Rebischke wrote:
> On Mon, Apr 10, 2017 at 02:35:31PM -0400, Steve Grubb wrote:
> > Nobody has ever asked for one. I literally build the package in Fedora
> > within a few minutes of a release. Fedora has hashes of the audit tar
On Monday, April 10, 2017 4:20:37 PM EDT warron.french wrote:
> Hi can someone tell me what I need to do, if anything, about failure: 1
> after executing *auditctl -s* please?
auditctl also takes a '-i' argument to interpret its output.
> I am trying to troubleshoot but cannot find anything tha
On Saturday, April 8, 2017 8:53:10 AM EDT Paul Moore wrote:
> > I am the maintainer of 'audit' in the official Arch Linux Repositories.
> > Is there a reason why you don't provide a signature file for the
> > releases nor a checksum or am I just stupid and can't find it on your
> > website: https:/
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- In auparse, output socket family name if unsupported but known
- In auparse, store arch & syscall fields in SECCOMP r
On Thursday, April 6, 2017 7:31:35 PM EDT Christian Rebischke wrote:
> Hello,
> I am the maintainer of 'audit' in the official Arch Linux Repositories.
> Is there a reason why you don't provide a signature file for the
> releases nor a checksum or am I just stupid and can't find it on your
> websit
On Friday, April 7, 2017 6:16:08 PM EDT Tyler Hicks wrote:
> On 02/22/2017 12:46 PM, Kees Cook wrote:
> > On Thu, Feb 16, 2017 at 3:29 PM, Kees Cook wrote:
> >> On Wed, Feb 15, 2017 at 7:24 PM, Andy Lutomirski
wrote:
> >>> On Mon, Feb 13, 2017 at 7:45 PM, Tyler Hicks
wrote:
> This patch s
On Monday, April 3, 2017 2:23:21 PM EDT warron.french wrote:
> Hi Steve, sorry for bugging you directly, nearly 1 year ago (May 10th to be
> exact) we collaborated, for my benefit on how to configure audispatch on
> "RHEL6" machines.
>
> It seems that my instructions that I kept from 1 year ago ar
Hello,
On Thursday, March 30, 2017 12:27:29 PM EDT Laurent Bigonville wrote:
> Le 30/03/17 à 15:56, cgzones a écrit :
> I just received the following bug in debian:
> > ausearch segfaults on the following input in interpret mode:
> >
> > /sbin/ausearch -i --input file
> >
> > type=AVC msg=audit(
On Thursday, March 30, 2017 11:40:31 AM EDT Fulda, Paul R [US] (MS) wrote:
> Can someone give me some optimized auditd.conf settings for a Red Hat
> Satellite 6 server running on Red Hat 7.3? When I am creating and updating
> content views on satellite, auditd cannot keep up and bogs the system to
On Thursday, March 30, 2017 8:17:05 AM EDT warron.french wrote:
> Steve, is there anyway that you know of both as the author of the Red Hat
> Audit software, and also an employee of Red Hat that would allow someone to
> review the audit logs and determine one of the following 2 possibilities:
We h
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix python3 byte compile for libaudit bindings
- Add "boot" keyword to time parameters of ausearch/aureport
- In aupa
On Thursday, January 26, 2017 1:22:10 AM EDT Steve Grubb wrote:
> Hello,
>
> On Wed, 25 Jan 2017 15:06:50 -0800
>
> Bond Masuda wrote:
> > I configured space_left and space_left_action to run a script that
> > compresses and moves older audit log files from /var/l
On Thursday, March 9, 2017 2:30:33 PM EDT Steve Grubb wrote:
> Hello,
>
> On Monday, February 27, 2017 9:05:18 PM EST Kaptaan wrote:
> > I have set some file monitoring audit rules on a directory and the audit
> > log shows some entries like
> >
> > ausearch
at understands the order and cats them into ausearch/report in the correct
order if you still plan to use the native tools.
-Steve
> > On 3/22/2017 5:48 PM, Steve Grubb wrote:
> > > On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> > >> So, I needed
On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
>Rolling log files either when they hit a certain size or the day
> changed over at midnight.
>
> I know that I could have rolled the f
On Monday, March 20, 2017 7:36:14 AM EDT Martin Kletzander wrote:
> On Thu, Mar 16, 2017 at 09:04:52PM -0400, Steve Grubb wrote:
> >Hello,
> >
> >I apologize for the delay.
> >
> >On Tuesday, March 14, 2017 7:42:27 AM EDT Martin Kletzander wrote:
> >
On Sunday, March 19, 2017 11:13:04 PM EDT Richard Fontana wrote:
> On Sun, Mar 19, 2017 at 01:54:52PM -0400, Steve Grubb wrote:
> > On Saturday, March 18, 2017 11:32:14 PM EDT Richard Fontana wrote:
> > > Hi,
> > >
> > > The README file in the audit use
On Monday, March 20, 2017 10:55:43 AM EDT Paul Moore wrote:
> On Mon, Mar 20, 2017 at 10:44 AM, Paul Moore wrote:
> > On Mon, Mar 20, 2017 at 8:08 AM, Paul Moore wrote:
> >> On Sun, Mar 19, 2017 at 9:46 PM, Steve Grubb wrote:
> >>> Hello Richard and Paul,
> &g
On Monday, March 20, 2017 8:08:27 AM EDT Paul Moore wrote:
> On Sun, Mar 19, 2017 at 9:46 PM, Steve Grubb wrote:
> > Hello Richard and Paul,
> >
> > I was going to do a blog write up about booting the system with
> > audit_backlog_limit=8192 for STIG users and ha
Hello Richard and Paul,
I was going to do a blog write up about booting the system with
audit_backlog_limit=8192 for STIG users and have stumbled on to a mystery. The
kernel initializes the variable to 64 at power on. During boot, if audit == 1,
then it holds events in the hopes that an audit d
On Saturday, March 18, 2017 11:32:14 PM EDT Richard Fontana wrote:
> Hi,
>
> The README file in the audit userspace package says:
>
> LICENSE
> ===
> The audit daemon is released as GPL'd code. The
> audit daemon's libraries libaudit.* and libauparse.* are released
> under LGPL so t
601 - 700 of 2654 matches
Mail list logo
