On Tuesday, May 03, 2016 05:15:01 PM Laurent Bigonville wrote:
> >> +#MISSING: 1:2.5.2-1# audit_send_user_message@Base 1:2.2.1
> >>
> >> audit_set_backlog_limit@Base 1:2.2.1
> >> audit_set_backlog_wait_time@Base 1:2.4.2
> >> audit_set_enabled@Base 1:2.2.1
> >>
> >> Is that expected that
On Tuesday, May 03, 2016 05:04:04 PM Laurent Bigonville wrote:
> Hello,
>
> In debian, during the build of a package, we have a tool checking if
> symbols are removed from shared librearies.
>
> With the 2.5.2 release, I get the following output:
>
> --- debian/libauparse0.symbols (libauparse0_
On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote:
> If I centralize audit logging through rsyslog, and I have each of the remote
> machines' /etc/rsyslog.conf to use the same generic audit.log file name
> instead of customizing the audit logs with something like;
> HOSTNAME-audit.log,
le like the folks in this 'forum.'
Sure.
-Steve
>
> Thanks, for any advice and useful links you can share. I am certain that as
> you provide them and I read them it will force me to ask even more
> questions. I hope you don't mind.
>
> Warron French, MB
On Friday, April 29, 2016 09:16:17 PM Vincas Dargis wrote:
> 2016.04.29 21:00, Steve Grubb rašė:
> > On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
> >> When playing/learning with auditd, I wanted to log events when apache
> >> fails to access file.
> &g
On Friday, April 29, 2016 08:56:26 PM Vincas Dargis wrote:
> Hi,
>
> When playing/learning with auditd, I wanted to log events when apache fails
> to access file.
>
> Here's the rules I used in Debian Wheezy (same on Jessie and and current
> latest Testing):
>
> -a exit,never -F arch=b64 -S stat
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix memory leak caused by unneeded reference in auparse python bindings
- Revise function hiding technique to better
On Friday, April 29, 2016 07:07:06 PM Vincas Dargis wrote:
> 2016.04.29 16:39, Steve Grubb rašė:
> > You'll have to ask the AppArmor folks. I gave them a whole block of
> > numbers to use for their own purposes so that we don't have any problems.
> > If they in
On Friday, April 29, 2016 10:03:02 AM Vincas Dargis wrote:
> There was email about fixing ausearch for AppArmor:
>
> https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html
>
> Is there any progress regarding that issue?
You'll have to ask the AppArmor folks. I gave them a whole block
On Thursday, April 28, 2016 02:45:55 AM Manuel Scunthorpe wrote:
> The build fails in Arch Linux openrc when configure has the option
> --enable-systemd=no It seems to work and build the package but fails at the
> end, I think it is a makefile error. I wanted to build the package with
> static
On Wednesday, April 27, 2016 09:10:39 PM Warron S French wrote:
> I have a scenario that I need a little help understanding how to work
> through in an isolated environment of 1 server and 6 workstations (7
> machines). The 7 machines are all running CentOS-6.7 and selinux =
> disabled.
>
> All 6 w
On Thursday, April 21, 2016 09:29:57 PM Paul Moore wrote:
> On Thu, Apr 21, 2016 at 2:14 PM, Richard Guy Briggs wrote:
> > The tty field was missing from AUDIT_LOGIN events.
> >
> > Refactor code to create a new function audit_get_tty(), using it to
> > replace the call in audit_log_task_info() a
Hello,
On Thursday, April 14, 2016 02:37:19 PM Santosh Ananthakrishnan wrote:
> The get_timestamp function in the auparse extension module seems to have an
> extra Py_INCREF. There's already a #FIXME at the line:
> https://fedorahosted.org/audit/browser/tags/audit-2.5.1/bindings/python/aupa
> rse_
On Wednesday, April 20, 2016 10:06:38 AM Deepika Sundar wrote:
> Is there any way that can be suggested as to map PID's of namespace in
> global?
This is on the TODO list. We have been kicking around several ideas but have
not come to a conclusion about what exactly needs to be done. The upshot o
t; On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb wrote:
> > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > > As per my understanding audit log structure can be extendible based on
> > > requirements and in my project I need to add the identifier field for
&
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes. I must have a simple misunderstanding or I may be
> doing something wrong.
>
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event. In the first
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Updated and added audit rules
- Updated errno table for 4.4 kernel
- Change interpretation of exit to use errno defin
ge-
> From: linux-audit-boun...@redhat.com [mailto:linux-audit-boun...@redhat.com]
> On Behalf Of Steve Grubb Sent: Wednesday, April 13, 2016 4:02 PM
> To: linux-audit@redhat.com
> Subject: audit 2.5.1 released
>
> Hello,
>
> I've just released a new
On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> As per my understanding audit log structure can be extendible based on
> requirements and in my project I need to add the identifier field for the
> application and as of now I couldn't able to revel the What application
> trying to d
On Wednesday, April 06, 2016 10:05:35 AM Paul Moore wrote:
> On Wed, Apr 6, 2016 at 9:53 AM, Lev Stipakov wrote:
> > Hello,
> >
> > Sometimes audit of "execve" syscall generates events with truncated "comm"
> > values, for example:
> >
> > type=SYSCALL msg=audit(1459950426.152:1097081): arch=c00
2016 at 5:20 PM, Steve Grubb wrote:
> > On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote:
> > > Can it be possible to add new field to auditd.conf file?
> >
> > That depends entirely on what functionality is being added and if its
> > acceptable to
On Wednesday, April 06, 2016 05:06:08 PM Deepika Sundar wrote:
> Can it be possible to add new field to auditd.conf file?
That depends entirely on what functionality is being added and if its
acceptable to people in general.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.
Hello,
On Tuesday, April 05, 2016 09:48:01 PM Blackwell, Joseph M wrote:
> I am working on scripting a report that can be run to filter and display the
> audits on a weekly basis, and I am having issues pulling specific events
> that indicate when users are added through the User Manager GUI (GNOM
On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > Consider the following scenario. Currently we have device drivers
> > that emit text via a printk request which is eventually picked up by
> > syslog like implementation (not th
On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
>
> The audit subsystem is a logging subsystem in kernel space that can be
> used to create advanced filters on generated events. It has partnered
On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing
> >
> > Gday,
> >
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
>
> Then please do it in userspace, as I
On Thursday, March 31, 2016 06:11:26 PM Kangkook Jee wrote:
> Here an event directly from auditd for connect() system call (syscall=42)
> with port number 0. Do you think connect() system call still can be called
> with port number 0?
Hello,
I got the full events. Below is the explanation...
ty
On Thursday, March 31, 2016 08:54:30 AM Kangkook Jee wrote:
> but, last three one didn’t
>
> $ ~/bin/sock_decode 020036447A64
> 020036447A64: sa_family: 2 addr: 1685734454, port: 0 (0)
> $ ~/bin/sock_decode 02003644ECD0
> 02003644ECD
Hello,
On Wednesday, March 30, 2016 10:34:39 PM Douglas Brown wrote:
> This week I released version 2 of the Linux Auditd app for Splunk:
> https://splunkbase.splunk.com/app/2642/
> Be sure to let me know if you have any suggestions for improvements.
Thanks for posting this. Its good to see uti
On Tuesday, March 29, 2016 11:19:24 PM Kangkook Jee wrote:
> If I understood correctly, connect() should return error when sin_port field
> is set with '0'. Would anyone explain this to me or help me with fix this
> problem?
I get 779 as the port from your event.
-Steve
--
Linux-audit mailing li
an be modified if you wanted to clear rules on shutdown.
-Steve
> -Original Message-
> From: linux-audit-boun...@redhat.com [mailto:linux-audit-boun...@redhat.com]
> On Behalf Of Steve Grubb Sent: Tuesday, March 22, 2016 10:06 AM
> To: linux-audit@redhat.com
> Subject: EXT :Re
On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> Does the "-e 2" have to be the last line of the audit.rules file?
Yes. Once its sent to the kernel, the kernel rules tables are immutable.
> Does it have to be listed prior to all of the syscalls and watches
> configured in the file
Hello,
On Tuesday, March 22, 2016 09:44:19 AM Lev Stipakov wrote:
> The string values can be either enclosed in quotation marks or
> hex-encoded. Is it safe to assume that sequence of bytes after hex
> decoding is always utf-8 encoded string?
There are no guarantees what they are. This is used wh
On Friday, March 18, 2016 01:14:31 PM Warron S French wrote:
> I have an issue, I believe, and I am asking for help on how to properly
> address/assess it.
>
> I have been given guidance in support of auditing on CentOS-6.x systems:
>
> 1. To place various watch (-w) and action (-a) rules i
u will need to read
up on is ausearch which is used to examine the resulting logs.
-Steve
> Thanks for replying so quickly, sorry for being a nag.
>
> Warron French, MBA, SCSA
> The Aerospace Corporation
>
> -Original Message-
> From: Steve Grubb [mailto:sgr...@redha
On Tuesday, March 01, 2016 02:57:45 PM Maupertuis Philippe wrote:
> The kernel is : 2.6.32-573.12.1.el6.x86_64
> And the whole audit.rules file is :
> During the hour preceding the fence we got these events from the passive
> node Key Summary Report
> ===
> total key
On Saturday, February 27, 2016 12:22:05 AM 张晨峰 wrote:
> when parsing the field "log_file", If the dir is examined nonexistent, why
> don't create it ? what are the reasons for the design?
Its assumed that the audit system is installed on a managed system. That means
that it depends on the admi
On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
> I am Sarthak Jain working in MicroFocus. I want your small help to clarify
> one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are
> the right person to contact. It will just 2 min (max :P) to go through the
> pro
On Wednesday, February 24, 2016 04:40:13 PM Lev Stipakov wrote:
> My audisp plugin has a file-based database in /var/lib/xxx directory. I
> noticed that on systems with SELinux enabled plugin cannot read/write
> that file.
>
> According to ps, plugin is run under audisp_t domain:
>
> -bash-4.1$ p
On Tuesday, February 23, 2016 11:54:21 AM Maupertuis Philippe wrote:
> The man page reads space_left_action : syslog means that it will issue a
> warning to syslog. Please tell me where can I find an example of such a
> message to look for it in the syslog ?
https://fedorahosted.org/audit/browser/
On Thursday, February 11, 2016 03:19:27 PM Max Timchenko wrote:
> I have read the docs on audispd(8) - is it something auditd and the other
> client could use to enable multiple access? It sounds like audispd does
> support multiple clients, but I would guess all clients would have to use
> the aud
On Friday, February 12, 2016 12:06:54 AM Burn Alting wrote:
> Steve,
>
> Perhaps we could update the above document to advise users what they
> should offer in such a proposal.
Good point. Usually they come to the list and say I am working on a daemon
that needs to write something to the audit l
On Thursday, February 11, 2016 06:07:56 PM Sowndarya K wrote:
> As of now there are so many proposed fields in the audit event log , if I
> wanted to one proposed field which is of not use as much ,which one can I
> chose for ?
The audit event known fields is kind of an agreement on what fields na
On Thursday, February 11, 2016 11:42:27 AM Sowndarya K wrote:
> What are the reserved fields in audit log structure?
There are known fields that kind of mean reserved because we expect them to be
a certain way. Its documented here:
http://people.redhat.com/sgrubb/audit/audit-events.txt
and a te
On Wednesday, February 10, 2016 04:28:26 PM Max Timchenko wrote:
> I have a situation where there are two audit clients on the same machine:
> one of them is auditd, and another one is an IDS client that uses the audit
> subsystem directly.
It should not be designed that way. For compliance purpo
On Wed, 3 Feb 2016 07:57:52 -0500
Paul Moore wrote:
> On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb wrote:
> > On Wed, 3 Feb 2016 15:34:09 +0530
> > Sowndarya K wrote:
> >> I am running docker container without privileges and now service
> >> auditd
On Wed, 3 Feb 2016 15:34:09 +0530
Sowndarya K wrote:
> I am running docker container without privileges and now service
> auditd start fails to execute even I add capabilities to docker.
> please try to help me as early as possible
If auditd is being run inside a container, then it has problems b
On Tue, 2 Feb 2016 12:05:38 -0500
leam hall wrote:
> Running into errors where we're pushing out a blanket audit.rules
> file and some servers don't have some of the files. I've seen the -i
> and -c suggestion for auditctl but wanted to confirm that that's the
> right choice. We need to ensure wa
On Mon, 1 Feb 2016 13:48:42 +0200
Lev Stipakov wrote:
> Hi,
>
> I have a Debian 7.9 which includes libaudit-devel-1.7.18. That
> version does not have auparse_feed_has_data(). Its implementation
> looks simple, however it uses au_lo, which is declared as static in
> auparse.c and therefore canno
On Fri, 29 Jan 2016 12:37:31 +0200
Lev Stipakov wrote:
> Hello,
>
> I have a rpm/deb package which includes audisp plugin. In order
> plugin to work, I need to permanently add audit rules. It seems that
> for Centos/RHEL 7 I need to put those
> into audit.rules and for Centos/RHEL6 (and
> proba
On Thursday, January 21, 2016 10:49:37 PM Lev Stipakov wrote:
> Sorry, I probably was not clear here. I am able to catch packets by
> adding iptables rules like ones you've mentioned and process events
> (with record type AUDIT_NETFILTER_PKT) by code inside my plugin.
>
> The problem is, I would p
On Thursday, January 21, 2016 11:49:13 AM Lev Stipakov wrote:
> Thank you for your comments! It seems that AUDIT target is better option
> than hooking syscalls and managing fds. I don't have to look inside
> traffic, just src/dest and bytes count is enough for me.
>
> What would be the performanc
means only outbound sys_connect calls)
>
> -a exit,always -F arch=b32 -S socketcall -F a0=3 -k network_outbound32
>
>
> -Farhan
>
> PS: I'd appreciate if someone could poke holes in this.
>
> On Wed, Jan 20, 2016 at 10:29 AM, Steve Grubb wrote:
> > On Wedn
On Wednesday, January 20, 2016 10:18:29 AM Steve Grubb wrote:
> > I work on an audisp plugin which audits network traffic – what process
> > has send/received data to/from what remote address. So far I see 2 ways
> > of accomplishing that:
> >
> > Hook syscalls
On Wednesday, January 20, 2016 04:26:34 PM Lev Stipakov wrote:
> Hello,
>
> I work on an audisp plugin which audits network traffic – what process
> has send/received data to/from what remote address. So far I see 2 ways
> of accomplishing that:
>
> Hook syscalls. First, hook socket call with af_
On Wednesday, January 06, 2016 08:27:31 PM Gulland, Scott A wrote:
> > What I would suggest in a case like this is to create a small utility that
> > generates the exact report that you want. The auparse library makes that
> > super easy. I can dig up the skeleton code for something like this if yo
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into grou
On Saturday, January 09, 2016 12:56:50 AM Aleksander Adamowski wrote:
> The set of syslog facilities that can be configured for the builting syslog
> plugin is pretty limited (LOG_LOCAL0 - LOG_LOCAL9).
>
> This patch adds a bunch of other facilities that might make sense for some
> people (like us
On Saturday, January 09, 2016 10:26:06 AM Richard Young wrote:
> I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but would
> like to exclude just specific ones.
> I would like to exclude ones for a specific UID, hostname, or IP.
>
> There are many example of how to exclude specifi
things I want to add in the next development cycle is the
ability to get rid of proctitle records if the admin wants to. They waste a
lot of space. But if they are missing then we have the same performance as we
did before I added this patch.
-Steve
> On Thu, 2016-01-07 at 17:31 -0500, Steve Gru
On Wednesday, January 06, 2016 09:30:36 PM Burn Alting wrote:
> #3 - modify the standard auparse() test code.
And this patch is applied. Thanks, Burn, for all the patches! This will make
analytical programs much more accurate since interlaced records won't split an
event up any more.
If anyone
d, 2016-01-06 at 10:45 -0500, Steve Grubb wrote:
> > On Wednesday, January 06, 2016 09:29:54 PM Burn Alting wrote:
> > > #2 - the 'lol' patch itself. Integrate the ausearch/aureport 'lol' code
> > > into auparse() and adjust auparse() to deal with mai
On Wednesday, January 06, 2016 06:03:58 PM Gulland, Scott A wrote:
> > -Original Message-
> > From: Steve Grubb [mailto:sgr...@redhat.com]
> > It has to be a field name that auparse expects to be encoded.
> >
> > > So I plan on using the "op", &q
On Tuesday, January 05, 2016 09:59:25 PM Gulland, Scott A wrote:
> > -Original Message-
> > From: Steve Grubb [mailto:sgr...@redhat.com]
> > Sent: Thursday, December 17, 2015 6:51 PM
> >
> > > > My problem is I don't know what the proper set
On Wednesday, January 06, 2016 09:29:54 PM Burn Alting wrote:
> #2 - the 'lol' patch itself. Integrate the ausearch/aureport 'lol' code
> into auparse() and adjust auparse() to deal with maintain an incore list
> of incomplete events.
Quick question...there is this:
#defineLOL_EVENTS
On Wednesday, January 06, 2016 09:29:17 PM Burn Alting wrote:
> The following three patches address this problem.
>
> #1 - convert the existing code to change auparse's auparse_state_t (aka
> struct opaque) event_list_t element 'le' to be a pointer, so the 'lol'
> code can more seamlessly fit in.
Restart= option to restart a critical service if it shutsdown. That said, an
admin can always shutdown the audit service if they want to.
Are you having problems with audispd or just trying to be careful with a
design?
Hope this helps...
-Steve
> On Tuesday, January 5, 2016, Steve Grubb
On Tuesday, January 05, 2016 06:08:54 PM Matthew Chao wrote:
> >"You can watch audispd, but I don't think that will help anything.
>
> my program totally depends on audispd to dispatch audit messages. I think
> audispd need more robust mechanisms to monitor itself killed, otherwise
> which inevita
On Tuesday, January 05, 2016 10:34:17 AM Maupertuis Philippe wrote:
> I came across a strange aureport behavior that would amount to a bug unless
> But If I request a ten minutes interval or a five minutes interval not
> starting at zero or five aureport hangs !
>
> [root@odbfi021s ~]# aureport
On Tuesday, January 05, 2016 03:29:31 AM Matthew Chao wrote:
> >You have a race condition where auditd gets a signal to shutdown and an
> event indicating that shutdown is occurring. On shutdown, the audit daemon
> does not alter the rules or whether auditing is enabled. (This was to get
> shutdown
On Monday, January 04, 2016 04:49:13 PM Maupertuis Philippe wrote:
> Hi list
> Our dbas complained that vim swap file were renamed instead of being deleted
> With an audit watch we were able to tell them to stop their silly cron
> rename job :) However, the audit log is missing an important piece
On Monday, January 04, 2016 08:10:29 PM Matthew Chao wrote:
> Hi,
>
> I added the following rules in audit.rules for monitoring auditd/audispd be
> killed(audit ver: 1.8),
> =
> -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -F perm=wa -F path=/var/run
On Friday, January 01, 2016 04:41:01 PM Burn Alting wrote:
> On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> > Hello,
> >
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will
Hello,
I've been looking into auditd's performance. The first thing I did was to
measure the rate at which it could log things with various settings. To do
this test, I had 2 windows open. One to start auditd from the command line
without systemd interference and one to run a script as follows
On Sunday, December 27, 2015 11:30:59 AM Burn Alting wrote:
> I'll start with the statement I am happy to enhance the audit capability
> of Linux in any way (read that as a direct offer to help).
Thanks!
> > I'm somewhat interested in this. I'm just not sure where the best place to
> > do all th
On Thursday, December 24, 2015 09:44:00 AM Burn Alting wrote:
> On Fri, 2015-12-18 at 16:12 +1100, Burn Alting wrote:
> > On Tue, 2015-12-15 at 08:46 -0500, Steve Grubb wrote:
> > > On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> > > > I use a propri
On Tuesday, December 22, 2015 09:24:56 AM Paul Moore wrote:
> On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote:
> > Nothing prevents a new auditd starting up and replacing a valid
> > audit_pid when an old auditd is still running, effectively starving out
> > the old auditd since
On Monday, December 21, 2015 04:48:00 PM Paul Moore wrote:
> On Wednesday, December 16, 2015 11:23:19 AM Steve Grubb wrote:
> > On Wednesday, December 16, 2015 10:42:32 AM Richard Guy Briggs wrote:
> > > Nothing prevents a new auditd starting up and replacing a valid
> >
On Friday, December 18, 2015 04:08:07 PM Paul Moore wrote:
> On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb wrote:
> > Hello,
> >
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add a
On Friday, December 18, 2015 02:20:44 PM Burn Alting wrote:
> Steve,
>
> When ausearch is given the --debug option, malformed events are written
> to stderr. The PROCTITLE type record is considered to be malformed. This
> patch corrects for this.
Thanks! Applied.
-Steve
--
Linux-audit mailing l
On Thursday, December 17, 2015 01:10:03 AM Richard Guy Briggs wrote:
> > No, this is an HTTP server that handles standard HTTP requests like GET,
> > POST, PUT, and DELETE. The URI specifies what resource is being acted
> > upon. These requests could come from something as simple as curl, or a
>
Hello Richard,
Public reply this time. :-)
On Wednesday, December 16, 2015 10:42:32 AM Richard Guy Briggs wrote:
> Nothing prevents a new auditd starting up and replacing a valid
> audit_pid when an old auditd is still running, effectively starving out
> the old auditd since audit_pid no longer
Hello,
On Tuesday, December 15, 2015 05:13:14 AM Gulland, Scott A wrote:
> I have a fairly common use case that I'm not sure is covered by the audit
> library and I need some advice on how best to handle it. I have a daemon
> running as root that services REST API calls (or a web UI from a brows
On Tuesday, December 15, 2015 09:12:54 AM Burn Alting wrote:
> I use a proprietary ELK-like system based on ausearch's -i option. I would
> like to see some variant outputs from ausearch that "packages" events into
> parse-friendly formats (json, xml) that also incorporates the local
> transformati
Hello,
On Wednesday, December 09, 2015 06:10:08 PM Santosh Ananthakrishnan wrote:
> auparse breaks if supplied events with timestamps that are less than 10
> characters long, including the milliseconds field. This should never happen
> in production, but it can make for fairly mysterious output du
On Thursday, December 10, 2015 12:40:55 PM F Rafi wrote:
> My comments are more from a log user (not developer) perspective. We are
> exporting close to 10GB/day of mostly auditd logs. This will potentially go
> upto 20GB/day next year.
>
> I'd prefer the ability to translate all auditd logs befor
On Wed, 09 Dec 2015 12:43:37 +1100
Burn Alting wrote:
> On Tue, 2015-12-08 at 19:28 -0500, Paul Moore wrote:
> > On Tuesday, December 08, 2015 03:25:22 PM Steve Grubb wrote:
> > > On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> > > > On Tue, Dec 8
On Tue, 08 Dec 2015 19:28:22 -0500
Paul Moore wrote:
> Okay, let's not call these "standards" and just stick with
> "specifications". The term standards has all sorts of connotations
> associated with it, both good and bad, and I think we should be clear
> when we start talking with other develope
On Tuesday, December 08, 2015 03:49:58 PM Richard Guy Briggs wrote:
> On 15/12/08, Steve Grubb wrote:
> > Hello,
> >
> > I would like to point out 2 new standards that have been posted to the
> > linux audit web page. The first establishes the events around system
>
On Tuesday, December 08, 2015 02:58:18 PM Paul Moore wrote:
> On Tue, Dec 8, 2015 at 2:22 PM, Steve Grubb wrote:
> > Hello,
> >
> > I would like to point out 2 new standards that have been posted to the
> > linux audit web page. The first establishes the events aro
Hello,
I would like to point out 2 new standards that have been posted to the linux
audit web page. The first establishes the events around system start up and
shutdown. This is important because it sets the session boundaries for when a
system is up or down or crashed.
http://people.redhat.co
On Tuesday, December 08, 2015 11:10:56 AM Richard Guy Briggs wrote:
> On 15/12/08, Gulland, Scott A wrote:
> > It took a month to get a Open Switch linux image put together that
> > contains the audit framework. I've just started playing with it and
> > have noticed that "auditd" exits with an
On Wednesday, November 18, 2015 03:54:58 PM ocakan wrote:
> Hello Steve!
>
> Thank you for your feedback. Somehow I still do not fully understand how
> the filtering with -F works.
>
> Regarding your questions: commands executed by root user, including
> subshells, subcmds from script are fine fo
On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> My aim is to audit only commands executed by root (interactively) and avc
> denied messages (selinux)
I have some questions to help clarify. Command executed by root, or the root
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 &
On Friday, November 06, 2015 10:07:24 AM Bond Masuda wrote:
> On 11/02/2015 03:32 PM, Steve Grubb wrote:
> > I took a quick look at the code. I can't see how this is happening
> > unless auditd is receiving a SIGUSR1 signal. You might want to put
> > some syslog calls in
On Thursday, November 05, 2015 09:32:09 AM Laurent Bigonville wrote:
> Le 05/11/15 04:23, Steve Grubb a écrit :
> > On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
> >> Le 03/11/15 21:08, Richard Guy Briggs a écrit :
> >>> On 15/11/03, Steve
On Thursday, November 05, 2015 10:26:17 AM Laurent Bigonville wrote:
> Le 05/11/15 09:32, Laurent Bigonville a écrit :
> > Le 05/11/15 04:23, Steve Grubb a écrit :
> >> I tested this on Fedora 22 and did not get a USER_AVC from dbus, but
> >> I also did not get an err
On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
> Le 03/11/15 21:08, Richard Guy Briggs a écrit :
> > On 15/11/03, Steve Grubb wrote:
> >> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> >>> I'm running in permissive mode
On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> Le 03/11/15 17:28, Steve Grubb a écrit :
> > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> >> Hi,
> >>
> >> With dbus 1.10.2 (on Debian), when I'm running &quo
901 - 1000 of 2654 matches
Mail list logo
