Hi Steve Grubb and Linux-Audit team,
I'm Vish and I am a newbie to auditd. My requirement is to log only
shell/bash commands and custom commands executed by administrator users.
I have created these rules in /etc/audit/rules.d/audit.rules, to ensure
SYSCALL, EXECVE are being added to audit.log for
On Saturday 12 January 2008 08:45:09 Abhishek Gupta wrote:
> msg=audit(1116360555.329:2401771).
>
> How to interpret above message?what does 1116360555,329,2401771 means here?
seconds.msec:serial number
The seconds can be converted with ctime().
> By looking at this type of audit message how ca
msg=audit(1116360555.329:2401771).
How to interpret above message?what does 1116360555,329,2401771 means here?
By looking at this type of audit message how can i interpret all the things
related to a particular process?
If i want to trace all syscalls called by particular process how to do that
wi
I am running audit-1.0.15-3.EL4 on a RHEL ES 4 system, fully patched. I am
trying to learn the meaning of the output of aureport. For example, if I
want to look at failed events, could you tell me what the following means?
That is, how do I know from this what is failing, and why?
[EMAIL PROTECT
RHEL 5
Have two events having difficulty capturing or reviewing with the audit
sub-system.
1. su - "non_existent_account". Using the nispom.rules provided by audit
1.5.6-1. Using various ausearch parameters, am unable to find a
corresponding failure when attempting to "su" to a non-existent accou
On Thursday 24 May 2007 10:03, Kirkwood, David A. wrote:
> How do I place a watch on files that are being rotated?
I suspect the files have to exist to place a watch on them. You can just touch
them to create them empty. ausearch/aureport probably doesn't care. We are
working on a directive to a
How do I place a watch on files that are being rotated? For example: I
want to audit the audit logs themselves , and when they are rotated I
need to watch the new audit log that is created as well as the rotated
logs.
Thanks,
David A. Kirkwood
--
Linux-audit mailing list
Linux-audit@
On Friday 20 April 2007 20:24, paul moore wrote:
> A) sometimes as root I echo to /proc/self/loginuid and it is ignored. Why?
Show me an example.
> There is no error message
Not sure if '>' outputs error messages.
> B) always if I echo to /proc... as non root it is ignored (as it should be)
> b
audit@redhat.com
Cc: paul moore
Subject: Re: (no subject)
On Friday 20 April 2007 18:13:17 paul moore wrote:
> My understanding is that the auid/loginid process property is to allow
> the audit system to *really* know who did things In particular it
> seems to be for tracking who did th
On Friday 20 April 2007 18:13:17 paul moore wrote:
> My understanding is that the auid/loginid process property is to allow the
> audit system to *really* know who did things In particular it seems to be
> for tracking who did things when they run su or sudo
Yep.
> But it seems to be trivial to s
My understanding is that the auid/loginid process property is to allow the
audit system to *really* know who did things In particular it seems to be
for tracking who did things when they run su or sudo
But it seems to be trivial to spoof it
login as: paul
[EMAIL PROTECTED]'s password:
Last login
Kirkwood, David A. wrote:
When I view the events related to xscreensaver for a locked screen I
get 2 separate audit entries, one for a failure and 1 as a success. Both
have the same uid, euid, etc. Actually, the entries are exactly the same
except for the event number and the success outcome.
When I view the events related to xscreensaver for a locked screen I
get 2 separate audit entries, one for a failure and 1 as a success. Both
have the same uid, euid, etc. Actually, the entries are exactly the same
except for the event number and the success outcome. I have the
xscreensaver execu
On Wednesday 03 May 2006 13:21, Kirkwood, David A wrote:
> I don't see any timestamps on audit events. How can I bracket events
> between to dates /times?
The ausearch utility was created to view the audit records. It extracts that
information from the event. Can you give that a try?
ausearch -t
I don’t see any timestamps on audit events. How can I
bracket events between to dates /times?
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
15 matches
Mail list logo
