On Thursday, August 18, 2016 2:33:18 PM EDT Richard Guy Briggs wrote:
> Add userspace support for the exclude filter extension of subject
> credentials, including detection of the feature in the kernel.
>
> This set should be added after loginuid_set support and before sessionID
> user filter supp
On Tuesday, October 11, 2016 4:54:26 PM EDT Paul Moore wrote:
> On Tue, Oct 11, 2016 at 4:50 PM, Steve Grubb wrote:
> > On Tuesday, October 11, 2016 4:42:58 PM EDT Paul Moore wrote:
> >> On Tue, Oct 11, 2016 at 3:22 PM, Steve Grubb wrote:
> >> > On Tuesday, O
On Tuesday, October 11, 2016 4:42:58 PM EDT Paul Moore wrote:
> On Tue, Oct 11, 2016 at 3:22 PM, Steve Grubb wrote:
> > On Tuesday, October 11, 2016 2:27:54 PM EDT Richard Guy Briggs wrote:
> >> On 2016-10-11 12:40, Steve Grubb wrote:
> >> > On Monday, October 10,
On Tuesday, October 11, 2016 2:27:54 PM EDT Richard Guy Briggs wrote:
> On 2016-10-11 12:40, Steve Grubb wrote:
> > On Monday, October 10, 2016 5:10:39 PM EDT Paul Moore wrote:
> > > On Mon, Oct 10, 2016 at 1:24 PM, Steve Grubb wrote:
> > > > On Thursday, August 1
On Monday, October 10, 2016 5:10:39 PM EDT Paul Moore wrote:
> On Mon, Oct 10, 2016 at 1:24 PM, Steve Grubb wrote:
> > On Thursday, August 18, 2016 2:18:55 PM EDT Richard Guy Briggs wrote:
> >> loginuid_set support should have been added to userspace when it was
> >>
On Monday, October 10, 2016 2:48:23 PM EDT L. A. Walsh wrote:
> Steve Grubb wrote:
> > But ntpd overwhelms logs but chronyd might be marginally better. See bz
> > https://bugzilla.redhat.com/show_bug.cgi?id=918127
>
> ---
> I took a gander at said bugzilla num, and found
On Thursday, August 18, 2016 2:33:20 PM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs
> ---
> trunk/lib/errormsg.h |2 +-
> trunk/lib/libaudit.c | 39 ++-
> trunk/lib/libaudit.h |3 +++
> 3 files changed, 26 insertions(+), 18 delet
On Thursday, August 18, 2016 2:18:55 PM EDT Richard Guy Briggs wrote:
> loginuid_set support should have been added to userspace when it was
> added to the kernel around v3.10. Add it before we do similar for
> sessionID and sessionID_set.
If this were accepted, how would this change writing rule
On Tuesday, October 4, 2016 11:35:46 AM EDT C.y wrote:
> On Tue, Oct 4, 2016 at 4:06 AM, Steve Grubb wrote:
> > On Sunday, October 2, 2016 11:00:16 AM EDT C.y wrote:
> > > On Sun, Oct 2, 2016 at 12:20 AM, Steve Grubb wrote:
> > > > On Saturday, October 1,
On Tuesday, October 4, 2016 10:10:31 AM EDT leam hall wrote:
> For /etc/audisp/plugins.d/syslog.conf, is "LOG_WARN" an accpeted arg, or
> does it need to be "LOG_WARNING"?
LOG_WARNING.
https://fedorahosted.org/audit/browser/trunk/audisp/audispd-builtins.c#L279
-Steve
--
Linux-audit mailing list
Hello,
On Tuesday, October 4, 2016 9:46:32 AM EDT Kevin Brown wrote:
> Is there an option within auditd to set whether commands are stored as hex
> vs ASCII?
No.
> With the prevalence of SIEM these days, seems easier to keep the commands
> as ASCII and not presume a person needs to have access
On Saturday, October 1, 2016 5:47:47 PM EDT C.y wrote:
> Hi all,
>
>
> I have fedora-server-24 installed on my raspberry-pi-3, following the guide
> https://fedoraproject.org/wiki/Raspberry_Pi.
>
> Once I get my raspberry pi boot up, there were error mentioning that "audit
> support not in kerne
On Sunday, August 21, 2016 9:00:31 PM EDT Mateusz Piotrowski wrote:
> Hello,
>
> See this line[1]. It lacks the name of the default file.
>
> As I don't know what the default file is I cannot submit a patch.
> Hopefully, someone else can fix this file.
I forgot to reply but this was fixed in th
On Tuesday, September 27, 2016 6:35:28 PM EDT Nathan Brown wrote:
> I am trying to fully understand the ruledata struct. I've got most of it
> figured out but I can't find a reason for the final 32 bits (last index) of
> mask to not be flipped on when selecting all syscalls. In general it
> appears
On Tuesday, September 27, 2016 10:05:31 PM EDT Sullivan, Daniel [CRI] wrote:
> type=SYSCALL msg=audit(1475012495.972:5327): arch=c03e syscall=159
> success=yes exit=0 a0=7ffd7498eb00 a1=861 a2=0 a3=1 items=0 ppid=1 pid=5357
> auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=3
On Monday, September 26, 2016 4:17:24 PM EDT Александр Демидов wrote:
> Hello
>
> I try to use new applications for me - e4rat
>
> My OS: ArchLinux
>
> I install audit with static libs for resolve building e4rat application
>
> But, in building e4rat-collect, i fetched error:
>
> [ 52%] Linkin
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Non-active log files should be read only
- In augenrules, restore the selinux context if restorecon is installed
- Up
On Thursday, September 8, 2016 9:42:09 AM EDT warron.french wrote:
> While working with RHEL-6 and RHEL-7 systems, and understanding that you
> can set rules to immutable by adding *-e 2* to the end of the audit.rules
> file(s) I realized something.
>
> If I want to add rules to a system due to n
On Wednesday, August 17, 2016 4:58:02 PM EDT Paul Moore wrote:
> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep wrote:
> > dump_common_audit_data() currently contains a field for pid, but the
> > value printed is actually the thread ID, tid. Update this value to
> > return the task group ID.
On Tuesday, August 23, 2016 1:32:48 PM EDT warron.french wrote:
> In RHEL-6, audit rules were added directly to */etc/audit/audit.rules*, but
> it seems that it is a requirement in RHEL-7 to be placed directly in a file
> (any file?) within
>
> */etc/audit/rules.d/.*
Well, to be honest, you can d
On Wednesday, August 17, 2016 3:02:36 PM EDT Mateusz Piotrowski wrote:
> I wonder if there is a document describing the preferred coding style
> of the Linux Audit framework source code.
No.
> Is it basically the style of the Linux Kernel[1]?
I have never used the kernel style. But if you look a
On Tuesday, August 2, 2016 4:31:40 AM EDT Richard Guy Briggs wrote:
> Signed-off-by: Richard Guy Briggs
> ---
> trunk/.gitignore |2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
Applied. Thanks.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailm
On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > On 2016-08-02 08:16, Steve Grubb wrote:
> > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > Add suppor
On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> On 2016-08-02 08:16, Steve Grubb wrote:
> > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > Add support for sessionid, sessionid_set (first two patches) and
> > > loginui
On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> Add support for sessionid, sessionid_set (first two patches) and
> loginuid_set (and auid_set) (third patch) in user filters. The first
> two are directly related to issue "ghak4":
> https://github.com/linux-audit/audit-
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Interpret ioctlcmd fields
- Fix the permission of the audit logging directory
- Fix timeout in autrace better
- Add g
On Monday, August 1, 2016 12:16:30 AM EDT Mateusz Piotrowski wrote:
> Hello,
>
> According to the field dictionary[1] there are fields which names are
> defined by the following regex: "a[[:digit:]+]\[.*\]".
>
> I was able to find examples of fields like "a4" and "a5" (see [2]) but it
> doesn't f
On Saturday, July 23, 2016 8:15:09 PM EDT James Clarke wrote:
> ---
> This fixes gen_alpha_tables_h aborting due to renameat2 being duplicated.
>
> lib/alpha_table.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/alpha_table.h b/lib/alpha_table.h
> index 08171cc..c4
Hello,
Thanks for adding these audit events. I have just one question below.
On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of cha
On Wednesday, July 20, 2016 8:06:25 PM EDT Richard Guy Briggs wrote:
> On 2016-07-20 19:19, Richard Guy Briggs wrote:
> > Ignore generated files if using git.
Thanks. Applied.
> I should add this this is based on audit-2.6.5.
It applies fine against trunk.
-Steve
--
Linux-audit mailing list
L
On Thursday, July 21, 2016 4:12:48 PM EDT Ondrej Moris wrote:
> On 07/21/2016 03:55 PM, Steve Grubb wrote:
> >> I am fine with that but while I see the motivation [1], I
> >> just cannot find where is that happening in the code.
> >
> > https://fedorahosted.o
On Thursday, July 21, 2016 11:48:04 AM EDT Ondrej Moris wrote:
> Hi, I noticed that in 2.6.5 /var/log/audit permission were dropped from
> 750 to 600.
The directory should be 0750 or 0700 depending on your config. 0600 would be a
mistake.
> I am fine with that but while I see the motivation [1
On Wednesday, July 20, 2016 11:25:19 AM EDT Mateusz Piotrowski wrote:
> Hello,
>
> > On 19 Jul 2016, at 12:28, Mateusz Piotrowski <0...@freebsd.org> wrote:
> >
> > type=CONFIG_CHANGE msg=audit(1464013671.541:406): auid=1000 ses=7 op="add
> > rule" key=(null) list=4 res=1 As you can see, there is
On Friday, July 15, 2016 7:49:22 PM EDT Roberts, William C wrote:
> > I also asked some other questions. Is this the ioctl number? As in
> > syscall arg a1? I need to know if its the same thing so that I can hook
> > up its translation if so.
>
> Yes, per man ioctl, it's the "request number". Ass
On Friday, July 15, 2016 7:33:09 PM EDT Roberts, William C wrote:
>
>
> > > This is important so that people don't make up new ones that do the
> > > same thing. The ioctlcmd field name should be recorded. Are there more
> > > that need documenting?
> >
> > Steve/William, one of you want to send
; not evident.
> >
> > Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
> > ioctlcmd=0x1234.
> >
> > Signed-off-by: William Roberts
> > ---
> > security/lsm_audit.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> N
On Friday, July 15, 2016 2:52:02 PM EDT Mateusz Piotrowski wrote:
> I’m trying to update the 2013 version of auditd on a just installed CentOS
> 6.8-i386.
>
> So far I’ve downloaded audit-userspace from GitHub[1] and I’ve faced a
> couple of problems:
>
> 1. README says that I should consult the R
On Wednesday, July 13, 2016 3:22:01 PM EDT Chris Nandor wrote:
> The buffering appears to be on the client side, because if I restart the
> server's auditd, those lines are not lost: they still appear in the remote
> log ... but not until the next time I run `sudo ls` on the client side.
>
> This
hen its not supported.
-Steve
> I found a 9-year old mail from you about bash
> --audit and aubash but that isn't working for me.
> > On Jul 14, 2016, at 12:06, Steve Grubb wrote:
> >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> >> Sorry,
You should also add a key to every rule as a
reminder of what it means. So, any SYSCALL event that does not have a key is
trigger by something else like a SELinux AVC.
-Steve
> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb wrote:
> > On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nan
On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> How does one get USER_CMD records into the audit.log?
The sudo command is the usual way.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On Thursday, July 14, 2016 6:10:00 PM EDT Mateusz Piotrowski wrote:
> Hello,
>
> Thank you for your reply! It is absolutely amazing. It clarified a lot.
>
> >> b) Why do some records are separated by a comma and a
> >>
> >> whitespace? Example:
> >>type=DAEMON_START msg=audit(1363713
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Correct the header length for dispatched events
- Revise buffer handling in auditd to fix dispatched events
- Fix spe
Fix the whitespace in the CWD record
Signed-off-by: Steve Grubb
---
kernel/auditsc.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -urp linux-4.7.0-0.rc4.git1.1.fc23.x86_64.orig/kernel/auditsc.c
linux-4.7.0-0.rc4.git1.1.fc23.x86_64/kernel/auditsc.c
--- linux-4.7.0-0.rc4.git1.1
On Wednesday, July 13, 2016 10:51:07 AM EDT Chris Nandor wrote:
> The only reason I am even upgrading is because of the issues with
> audisp-remote, the not-reconnecting, and the apparent client-side
> buffering, that went away with 2.4.x and 2.6.x. So if we decide to ship
> logs a different way t
be compatible with the rest of user space.
So, give it a try. It may work. It should be easy to go back if something is
wrong.
-Steve
> On Wed, Jul 13, 2016 at 9:32 AM, Steve Grubb wrote:
> > On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote:
> > > Secondary questio
On Wednesday, July 13, 2016 12:32:55 PM EDT Steve Grubb wrote:
> On Wednesday, July 13, 2016 9:22:57 AM EDT Chris Nandor wrote:
> > Secondary question: the reason for what I'm working on is that we want to
> > be able to audit what folks do as root on our production hosts.
On Wednesday, July 13, 2016 9:27:25 AM EDT Chris Nandor wrote:
> As mentioned in previous e-mail, we want to log what users do as root. I
> have these two rules, only:
>
> -a exit,always -F arch=b32 -F euid=0 -F auid>=0 -F auid!=4294967295 -S
> execve -k rootcmd
> -a exit,always -F arch=b64 -F eu
t.log and
> immediately to a remote using audisp-remote, so the log can't be easily
> manipulated.
Remote logging is the defence against local log manipulation.
-Steve
> On Wed, Jul 13, 2016 at 8:57 AM, Steve Grubb wrote:
> > On Wednesday, July 13, 2016 8:47:58 AM EDT Chris Nando
On Wednesday, July 13, 2016 8:47:58 AM EDT Chris Nandor wrote:
> Hi, I had some odd behavior to report.
>
> I am running ubuntu 12.04. Using the default auditd and audispd-plugins
> packages for my release, I was able to get logs sent to local syslog and to
> a remote auditd server (same basic co
Hello,
On Wednesday, July 13, 2016 1:23:29 PM EDT Mateusz Piotrowski wrote:
> I participate in Google Summer of Code and my project involves converting
> Linux Audit logs to BSM logs.
>
> As I was writing a parser and converter I stumbled upon a couple of things I
> do not understand and I cannot
tan Manjunath
> Sent: Monday, July 11, 2016 1:48 PM
> To: 'Steve Grubb'
> Cc: linux-audit@redhat.com
> Subject: Upgrading audit package
>
> Hi Steve,
>
> I am using audit in my development environment. My development environment
> is as below.
>
> RHEL 5
Hello,
On Tuesday, July 12, 2016 5:15:01 PM EDT Laurent Bigonville wrote:
> Could you please merge the following patches that have been proposed to
> debian by Nicolas Braud-Santoni?
Yes, thanks.
> The patches add the Documentation key in the .service file and also fix
> some typos.
They are no
Hello,
On Monday, July 11, 2016 8:17:50 AM EDT Bhagwat, Shriniketan Manjunath wrote:
> I am using audit in my development environment. My development environment
> is as below.
>
> RHEL 5.2 with kernel 2.6.32-431.el6.x86_64 and audit-2.2-2.el6.x86_64.
> SUSE 11 SP3 with kernel 3.0.76-0.11-default
On Monday, July 11, 2016 4:52:05 PM EDT Thomas Petazzoni wrote:
> Hello,
>
> On Wed, 06 Jul 2016 18:47:47 -0400, Steve Grubb wrote:
> > Applying this breaks the build
> >
> > am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=:
> > di
On Sunday, July 10, 2016 10:45:13 AM EDT Laurent Bigonville wrote:
> Le 09/07/16 à 23:41, Steve Grubb a écrit :
> > On Saturday, July 9, 2016 11:02:44 PM EDT Laurent Bigonville wrote:
> >> Apparently the fix is not 100% correct:
> >>
> >> The "Libs.private
On Saturday, July 9, 2016 11:02:44 PM EDT Laurent Bigonville wrote:
> Le 05/07/16 à 14:15, Steve Grubb a écrit :
> > Hello,
> >
> > On Monday, July 4, 2016 2:08:14 PM EDT Laurent Bigonville wrote:
> >> Apparently the audit.pc file is missing flags to allow libaudi
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix interpretation of saddr fields when using enriched events
- In netlink_handler of auditd, ensure ack_func is init
On Wednesday, July 6, 2016 10:53:37 AM EDT Adam Duskett wrote:
> Audit 2.6.x checks for AUDIT_FEATURE_VERSION to be defined in
> include/linux/audit.h (this define was introduced in kernel version
> 3.13) and then blindly assumes that struct audit_status has
> feature_bitmap.
>
> However this look
On Wednesday, July 6, 2016 9:08:19 PM EDT Thomas Petazzoni wrote:
> This allows to avoid the following warning when re-generating the
> configure script:
>
> auparse/Makefile.am:95: warning: source file '../lib/gen_tables.c' is in a
> subdirectory, auparse/Makefile.am:95: but option 'subdir-object
On Wednesday, July 6, 2016 9:08:16 PM EDT Thomas Petazzoni wrote:
> The first two patches in this series fix misc build issues of audit
> with old kernel headers.
I applied both. The second patch was not complete. You might want to pull
what's in svn and make sure everything works for your target
Hello,
I revceived the strace file which made the email too big for the mail list.
I'm including the important part below.
On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote:
> Le 06/07/16 à 18:23, Steve Grubb a écrit :
> >So, I'm note sure why you are getting
On Wednesday, July 6, 2016 5:26:44 PM EDT Laurent Bigonville wrote:
Hello,
> Le 06/07/16 à 17:23, Steve Grubb a écrit :
> > On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote:
> >> With 2.6.3, when loading the rules, it's crashing and I get the
&
On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote:
> Hi,
>
> With 2.6.3, when loading the rules, it's crashing and I get the
> following backtrace:
>
> #0 0x7687e99d in writev () at ../sysdeps/unix/syscall-template.S:84
> #1 0x555610ab in dispatch_event (rep=, i
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix NULL poiinter deref in auparse
- Optionally add dependency to libcap-ng in audit.pc
This is another bug fix rele
Hello,
On Monday, July 4, 2016 2:08:14 PM EDT Laurent Bigonville wrote:
> Apparently the audit.pc file is missing flags to allow libaudit to be
> statically linked (see [0]).
>
> Adding something like "Requires.private: libcap-ng" should fix the problem.
OK. Fixed. There will be a new audit pack
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix ausearch segfault when using numeric uids
- In auparse move aulol structure into auparse_state_t
- Save and resto
Hello,
On Wednesday, June 29, 2016 05:48:46 PM Laurent Bigonville wrote:
> I think there are inconsistencies between the behavior of the shipped
> LSB inistscript and the systemd .service.
>
> The sysconfig config file sets USE_AUGENRULES="no" and
> AUDITD_CLEAN_STOP="yes" while the .service file
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Do capabilities check rather than uid
- Auditd fixup directory and file permissions on startup
- Add some missing con
On Tuesday, June 28, 2016 01:10:04 AM Laurent Bigonville wrote:
> > Looking that build system, it seems that CFLAGS and CPPFLAGS for these
> > executables are overriden in lib/Makefile.am and auparse/Makefile.am
> > (with CFLAGS_FOR_BUILD and CPPFLAGS_FOR_BUILD) but the LDFLAGS are
> > left unto
On Wednesday, June 22, 2016 07:56:23 PM warron.french wrote:
> I am writing puppet modules for work now. I am writing a module
> specifically oriented around audit for Linux and Solaris.
>
> But I would like to know is after updating audit.rules in Linux with
> immutable mode turned on; is a resta
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall
- Make all libraries and utilities support
On Wednesday, June 22, 2016 08:21:27 AM Skwar Alexander wrote:
> Hello Steve and all :)
>
> Am 20.06.2016 um 17:32 schrieb Steve Grubb:
> > On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> >> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with audit
On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> and v2.4.5), we'd like to log all the commands that root has run, or
> that were run as root.
>
> For that, I added the following rules:
>
> # Log all commands run
ped?
There is nothing that prevents you from sending a SIGTERM to the plugin if you
are root. The plugin will be restarted when the next event arrives to audispd.
-Steve
> -Original Message-
> From: Steve Grubb [mailto:sgr...@redhat.com]
> Sent: Monday, May 16, 2016 6:24 PM
> T
On Friday, June 10, 2016 04:43:19 PM Jacobson, Robert C. [HONEYWELL TECHNOLOGY
SOLUTIONS INC] wrote:
> I guess the first question I should ask is : is this the proper list for
> questions about problems? If not, then please accept my apology -- and I
> would greatly appreciate if you could direc
On Thursday, June 09, 2016 07:59:43 PM Richard Guy Briggs wrote:
> On 16/06/09, Steve Grubb wrote:
> > On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> > > struct timespec is not y2038 safe.
> > > Audit timestamps are recorded in string format into
> &
On Wednesday, June 08, 2016 10:05:01 PM Deepa Dinamani wrote:
> struct timespec is not y2038 safe.
> Audit timestamps are recorded in string format into
> an audit buffer for a given context.
> These mark the entry timestamps for the syscalls.
> Use y2038 safe struct timespec64 to represent the tim
On Tuesday, May 24, 2016 10:07:57 AM Ken Bass wrote:
> On 05/23/2016 11:21 AM, Ken Bass wrote:
> > I enabled krb5 in my audisp-remote and audispd-remote reports "GSS-API
> > error sending token length" and fails to log remotely.
> >
> > If I reboot the destination auditd server AFTER the clients a
On Thursday, May 26, 2016 11:16:05 AM Ken Bass wrote:
> On 05/24/2016 10:07 AM, Ken Bass wrote:
> > On a related note, using krb5 causes a problem with selinux. Unless I
> > disable it (or figure out a rule) auditd fails to start because it is
> > denied permission to create /var/tmp/auditd_0 kerbe
Hello,
On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote:
> I'd like to ask for a more useful error message in auditd ;-)
>
> If audit.log is world-readable (chmod 644 [1]), auditd refuses to start.
>
> The problem is that it gives a completely useless error message when
> doing that:
On Wednesday, May 18, 2016 12:18:21 PM Warron S French wrote:
> My Special Security Team, not being UNIX/Linux savvy asked me if I could put
> into place audit rules that monitor "Root-Level" commands.
>
> I don't know of any specific identifier for such a term, and the closest
> thing I could com
On Monday, May 16, 2016 11:44:26 AM Richard Guy Briggs wrote:
> On 16/05/16, Steve Grubb wrote:
> > On Sunday, May 15, 2016 04:38:27 PM Richard Guy Briggs wrote:
> > > Hi Steve,
> > >
> > > Can you confirm that the exclude filter action parameter is igno
On Sunday, May 15, 2016 04:38:27 PM Richard Guy Briggs wrote:
> Hi Steve,
>
> Can you confirm that the exclude filter action parameter is ignored?
The exclude filter was supposed to do only 1 thing, delete events. It was
needed to create a pure CAPP system back in the lspp days. There are thing
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root user
> using CAP_AUDIT_CONTROL?
You are the only person who has asked f
On Thu, 12 May 2016 19:14:35 +
Warron S French wrote:
> Hello all,
> I have audit logging working exactly as I want it now
> (thanks to you all), but when running ausearch on various systems
> (not all, which tells me something isn't consistent) I get a warning:
>
> Warning -
d
This is how I would try to write it. If that suppresses more syscalls than
chmod and you can give us a reproducer, I think it should go in the new github
issue tracker for the kernel.
-Steve
> -Original Message-
> From: Steve Grubb [mailto:sgr...@redhat.com]
> Sent: Mon
x27;t see anything in the SRG that leans towards IDS-like rules. Do you see
any?
-Steve
> -----Original Message-
> From: Steve Grubb [mailto:sgr...@redhat.com]
> Sent: Wednesday, May 11, 2016 11:35 AM
>
> When a user logs in, the auid gets set to the uid that they used to login
&
On Wednesday, May 11, 2016 06:28:11 PM Wyatt, Curtis wrote:
> I don't understand why the STIG audit rules have -F auid!=4294967295 in it.
> If auid is unset, why wouldn't you still want to see the events in the
> logs?
When a user logs in, the auid gets set to the uid that they used to login
wit
On Wednesday, May 11, 2016 09:55:33 AM Laurent Bigonville wrote:
> Le 09/05/16 à 21:07, intrigeri a écrit :
> > Hi,
>
> Hey,
>
> > in Debian, the convention for many log files is to make them readable
> > by members of the adm group. We're considering doing the same for the
> > auditd logs, in or
On Tuesday, May 10, 2016 03:25:36 PM Warron S French wrote:
> > The lab works as expected, but my production environment does not. %-/
>
> I would start by checking that events are coming out of the remote systems.
> You can use tcpdump port 60 on the clients. After confirming that, do the
> sam
On Tuesday, May 10, 2016 01:44:50 PM Warron S French wrote:
> > > I have two problems though; and they seem somewhat minor:
> > >
> > > 1. The audit events being captured don’t seem to be tied to any
> > > given node (so that I can perform ausearch --node hostName, or
> > > aureport), that’s
using a web service (httpd, etc) to service your files, then
> make it authenticated and have it log.
I agree on this point. Auditd will tell you that the web server accessed the
file but not who is getting it. Only the web server can know that.
-Steve
> > On Tuesday, 10 May 201
On Tuesday, May 10, 2016 10:52:21 PM Burn Alting wrote:
> On Tue, 2016-05-10 at 12:31 +, Warron S French wrote:
> > Good morning everyone,
> >
> >
> >
> > I am working on an environment where I have managed to get centralized
> > audit logging to work – roughly 95% properly on six (6) CentOS
On Monday, May 09, 2016 04:13:19 PM varun gulati wrote:
> Hi Team,
> We have requirement where we have to monitor and log any read operations
> performed on a file. e.g. /a/b/c/xyz.log
-a always,exit -F path=/a/b/c/xyz.log -F perm=r -F key=log-access
> This file is usually copied and downloaded
On Monday, May 09, 2016 09:07:11 PM intrigeri wrote:
> in Debian, the convention for many log files is to make them readable
> by members of the adm group. We're considering doing the same for the
> auditd logs, in order to make apparmor-notify work out-of-the-box.
>
> The maintainer of auditd in
On Saturday, April 30, 2016 09:29:18 PM Manuel Scunthorpe wrote:
> Dear Steve,thanks for your helpful observations. I was able to modify the
> PKGBUILD and successfully build the package, and then build e4rat-lite
> which was my ultimate aim. Sadly it didn't seem to work in Arch Linux due
> to the
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to get
> better performance, I am trying to reduce number of rules. If I specify
> more than one path field as in below example I am getting "Invalid
> argu
Yes. --node is the switch to select the exact audit stream from remote
systems.
-Steve
> Thank you Steve, again, for your detailed support. For me this was an
> uphill battle, and you leveled the field for me (and I learned something).
>
> Warron French, MBA, SCSA
>
> -Origin
e something there if the
connection is not working.
-Steve
> -Original Message-
> From: linux-audit-boun...@redhat.com [mailto:linux-audit-boun...@redhat.com]
> On Behalf Of Warron S French Sent: Friday, April 29, 2016 4:21 PM
> To: Steve Grubb
> Cc: linux-au
801 - 900 of 2654 matches
Mail list logo