So, here is the tree structure for auditd and audisp in Ubuntu.
*root@dns:/etc# ls -l audit/rules.d/*
*total 4*
*-rw-r- 1 root root 373 Jan 18 2016 audit.rules*
*root@dns:/etc# *
*root@dns:/etc# ls -l audisp/*
*total 20*
*-rw-r- 1 root root 211 Jan 18 2016 audispd.conf*
*-rw-r--r-- 1 ro
Hello,
On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote:
> As per the config file which I had sent (/etc/audit/audit.rules); below
> line has root_action
>
> *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
> root_action*
If you wanted just people and n
Hi Steve,
As per the config file which I had sent (/etc/audit/audit.rules); below
line has root_action
*-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
root_action*
I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*
Thanks!
Best Regards,
Rituraj B
O
On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> Continued...from previous mail of mine..
>
> While I am reading and exploring much on auditd & on how I can have a
> proper central system where logs are stored and daily reports get
> generated, you might want to look at
Hi Steve,
Thanks for the response.
Suppressing the events with -F auid!=4294967295 worked.
I am seeing the events like "vi" "chmod" etc are getting audited by the
system - even as a root account.
I am yet to understand fully though on various rule sets and also on
components like audisp / audis
Continued...from previous mail of mine..
While I am reading and exploring much on auditd & on how I can have a
proper central system where logs are stored and daily reports get
generated, you might want to look at my config file on server and
suggest/recommend if anything - would appreciate if any
Hello,
On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> I have a DNS server for which the auditd was generating lot of system calls
> and flooding the logs.
> Due to this the server was under heavy memory usage as audisp-remote was
> hogging the memory. The log output fo
Hi,
I have a DNS server for which the auditd was generating lot of system calls
and flooding the logs.
Due to this the server was under heavy memory usage as audisp-remote was
hogging the memory. The log output for audisp-remote showed that the
syscall was 49. Then I got to know from ausyscall c