On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
On Thursday, June 28, 2018 6:28:55 PM EDT Paul Moore wrote:
> On Thu, Jun 14, 2018 at 4:23 PM Richard Guy Briggs wrote:
> > Give a clue as to the source of mark, watch and tree rule changes.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/50
> > See: https://github.com/linux-audit
t data in the raw format.
-Steve
> On Mon, Jun 25, 2018 at 5:28 PM, Steve Grubb wrote:
> > On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> > > Hello
> > > I noticed in the man page for auditctl, an example of how to monitor if
> > > admins
On Thursday, July 12, 2018 7:36:32 AM EDT Ondrej Mosnacek wrote:
> The function logs an FD_PATH record that is associated with the current
> syscall. The record associates the given file descriptor with the
> current path of the file under it (if it is possible to retrieve such
> path). The reader
Hello,
This is to let everyone know that an audit-3.0 pre-release is being made.
The big change that is prompting this email is that there is a config change
that people might need to be aware of. One of the improvements is to drop
audispd (realtime audit event dispatcher) and merge its functio
On Wednesday, July 18, 2018 2:36:11 PM EDT Paul Moore wrote:
> > Changes in v2:
> > - The audit_adjtime() function has been modified to only log those
> > fields that contain values that are actually used, resulting in more
> > compact records.
> > - The audit_adjtime() call has been moved to do_ad
On Wednesday, July 18, 2018 3:59:24 PM EDT Paul Moore wrote:
> On Wed, Jul 18, 2018 at 3:36 PM Steve Grubb wrote:
> > On Wednesday, July 18, 2018 2:36:11 PM EDT Paul Moore wrote:
> > > > Changes in v2:
> > > > - The audit_adjtime() function has been modified to o
On Thursday, July 19, 2018 2:16:39 PM EDT Venkata Neehar Kurukunda wrote:
> Hi,
>
> I am writing this email to report an issue while using audit inside a
> docker container (with CentOS 7.5 as base layer). It installs fine, but,
> when I try to do service auditd start, it fails with the message"
>
On Saturday, July 21, 2018 4:29:30 PM EDT Richard Guy Briggs wrote:
> > > + * audit_log_contid - report container info
> > > + * @tsk: task to be recorded
> > > + * @context: task or local context for record
> > > + * @op: contid string description
> > > + */
> > > +int audit_log_contid(struct task
On Sunday, July 22, 2018 4:55:10 PM EDT Richard Guy Briggs wrote:
> On 2018-07-22 09:32, Steve Grubb wrote:
> > On Saturday, July 21, 2018 4:29:30 PM EDT Richard Guy Briggs wrote:
> > > > > + * audit_log_contid - report container info
> > > > > + * @tsk: tas
On Monday, July 23, 2018 11:11:48 AM EDT Richard Guy Briggs wrote:
> On 2018-07-23 09:19, Steve Grubb wrote:
> > On Sunday, July 22, 2018 4:55:10 PM EDT Richard Guy Briggs wrote:
> > > On 2018-07-22 09:32, Steve Grubb wrote:
> > > > On Saturday, July 21, 2018 4:2
On Friday, July 20, 2018 6:15:00 PM EDT Paul Moore wrote:
> On Wed, Jun 6, 2018 at 1:03 PM Richard Guy Briggs wrote:
> > Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> > event standalone records. Iterate through all potential audit container
> > identifiers associated with
On Tuesday, July 24, 2018 6:15:54 PM EDT Paul Moore wrote:
> On Tue, Jul 24, 2018 at 10:12 AM Ondrej Mosnacek
wrote:
> > OK, so I just wrote a small script to see what PATH records would be
> > generated for a renameat(2) syscall with non-AT_FDCWD fd arguments,
> > and it seems the current implem
On Wednesday, July 25, 2018 3:44:07 AM EDT Ondrej Mosnacek wrote:
> On Wed, Jul 25, 2018 at 3:11 AM Steve Grubb wrote:
> > On Tuesday, July 24, 2018 6:15:54 PM EDT Paul Moore wrote:
> > > On Tue, Jul 24, 2018 at 10:12 AM Ondrej Mosnacek
> > >
> > > > Beyo
On Wednesday, July 25, 2018 9:02:50 AM EDT Ondrej Mosnacek wrote:
> On Wed, Jul 25, 2018 at 2:48 PM Steve Grubb wrote:
> > On Wednesday, July 25, 2018 3:44:07 AM EDT Ondrej Mosnacek wrote:
> > > On Wed, Jul 25, 2018 at 3:11 AM Steve Grubb wrote:
> > > > On Tuesday
Hello,
On Wednesday, August 1, 2018 12:54:17 PM EDT James Davis wrote:
> Here is my general question. I have not found an answer in the auditd docs.
>
> auditd records timestamps. What time do these timestamps represent?
> - After syscall is issued but before any action begins in kernel-space?
>
On Monday, August 20, 2018 5:56:04 AM EDT Frederik Bosch wrote:
> As I have not found a location anywhere else on the web, I am sending my
> question to this list. I have an Ubuntu 18.04 machine with auditd and it
> acts as a Docker Host machine. I have hardened the system via this
> package: https
ason why that would
> be? I have also asked this question to the owner of the package. I will
> reduce the number of delete calls to specific locations and disable
> watches for /home as they seem to be inappropriate for my use case.
>
> Regards,
> Frederik
>
> On 20-08-18
On Wednesday, August 22, 2018 10:49:20 AM EDT Frederik Bosch wrote:
> Hi Steve,
>
> That was really helpful, again. My aureport looks much healthier now! I
> have one remaing question. When running auditctl -s I still have a lost
> value of 51 after boot.
>
> enabled 2
> failure 1
> pid 779
> rat
On Friday, August 24, 2018 8:59:10 AM EDT Ondrej Mosnacek wrote:
> On Thu, Aug 2, 2018 at 1:45 PM Ondrej Mosnacek wrote:
> > When a relative path has just a single component and we want to emit a
> > nametype=PARENT record, the current implementation just reports the full
> > CWD path (which is al
On Wednesday, August 22, 2018 5:27:17 PM EDT Paul Moore wrote:
> On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar
wrote:
> > > On Mon, 20 Aug 2018, Ondrej Mosnacek wrote:
> > > > @John or other timekeeping/NTP folks: We had a discussion on the
> > > > audit
> > > > ML on which of the internal tim
On Friday, August 24, 2018 11:00:35 AM EDT Paul Moore wrote:
> On Thu, Aug 2, 2018 at 8:03 PM Paul Moore wrote:
> > On Thu, Aug 2, 2018 at 7:45 AM Ondrej Mosnacek
wrote:
> > > When a relative path has just a single component and we want to emit a
> > > nametype=PARENT record, the current impleme
serspace/issues/51
> See: https://github.com/linux-audit/audit-testsuite/issues/64
> See:
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
>
> Signed-off-by: Richard Guy Briggs
> Acked-by: Serge Hallyn
> Acked-by: Steve Grubb
> ---
&
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> Signed-off-by: Richard Guy Briggs
> Acked-by: Serge Hallyn
> Acked-by: Steve Grubb
> ---
> include/linux/audit.h | 7 +++
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c
On Monday, August 27, 2018 5:13:17 AM EDT Ondrej Mosnacek wrote:
> On Mon, Aug 27, 2018 at 9:50 AM Miroslav Lichvar
wrote:
> > On Fri, Aug 24, 2018 at 02:00:00PM +0200, Ondrej Mosnacek wrote:
> > > This patch adds two auxiliary record types that will be used to
> > > annotate
> > > the adjtimex S
Hello,
On Wednesday, August 29, 2018 9:53:05 AM EDT Maupertuis Philippe wrote:
> I have tried to get the SOFTWARE_UPDATE events on a new RHEL 7.6 beta 1
> with audit rebased on 2.8.4 When installing a new rpm I get the
> corresponding event.
> The text format is very easily readable :)
> Unfortun
On Friday, September 7, 2018 7:30:09 AM EDT Osama Elnaggar wrote:
> Hi,
>
> I'm working on a custom audispd plugin written in Python 3. It’s a work in
> progress and I’ve successfully run it numerous times as an audispd plugin.
> However, I sometimes make modifications that result in the audispd
Hello,
On Friday, September 7, 2018 9:19:34 AM EDT Osama Elnaggar wrote:
> I tried it but the problem still only shows up when it runs as a plugin.
> Also, the script basically does some processing on the records and extracts
> certain data from records of interest, so it should run fine regardles
On Tuesday, September 11, 2018 8:14:05 AM EDT khalid fahad wrote:
> Hi,
> I need help to decode the following records in audit.log. Thanks
> type=PROCTITLE msg=audit(1.000:000):
> proctitle=726D002F7661722F6C6F672F736563757265 type=PATH
> msg=audit(1.000:000): item=1 name="/var/log/
On Thursday, September 13, 2018 9:58:32 AM EDT Ondrej Mosnacek wrote:
> On Fri, Aug 24, 2018 at 4:56 PM Steve Grubb wrote:
> > On Wednesday, August 22, 2018 5:27:17 PM EDT Paul Moore wrote:
> > > On Tue, Aug 21, 2018 at 3:21 AM Miroslav Lichvar
> >
> > wrote:
On Friday, September 14, 2018 11:16:43 AM EDT Richard Guy Briggs wrote:
> On 2018-09-13 23:18, Paul Moore wrote:
> > On Fri, Aug 24, 2018 at 8:00 AM Ondrej Mosnacek
wrote:
> > > This patch adds two auxiliary record types that will be used to
> > > annotate
> > > the adjtimex SYSCALL records with
On Tuesday, October 2, 2018 7:43:04 AM EDT Maupertuis Philippe wrote:
> According to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered when
> a user becomes root. It seems that using sudo doesn't trigger this event.
> I would like to know how this event is triggered.
Looking at the blame v
Hello,
On Thursday, October 4, 2018 10:14:17 AM EDT Levin Stanislav wrote:
> I try to use auditd as a server to gather logs from remote clients.
>
> 1) My conditions:
>
> /rpm -q audit//
> //audit-2.8.4/
>
> /uname -r//
> //4.9.124/
>
> /ipv6 is disable/
OK. Out of curiosity, what did you do
Hello,
On Friday, October 5, 2018 9:11:28 AM EDT Osama Elnaggar wrote:
> I'm currently working on a Python audisp plugin. My main routine looks
> like this:
>
> if __name__ == '__main__':
>
> try:
> ...
>
> aup = auparse.AuParser(auparse.AUSOURCE_FEED)
> aup.add_callback(pr
On Thursday, October 18, 2018 3:53:06 PM EDT Richard Guy Briggs wrote:
> On 2018-10-07 18:19, Jesper Dangaard Brouer wrote:
> > On Sat, 6 Oct 2018 00:05:22 +0200
> >
> > Jiri Olsa wrote:
> > > On Fri, Oct 05, 2018 at 11:44:35AM -0700, Alexei Starovoitov wrote:
> > > > On Fri, Oct 05, 2018 at 08:1
5.499:257):
> > > > > proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
> > > > > type=CONTAINER msg=audit(1519924845.499:257): op=task
> > > > > contid=123458
> > > > >
> &
On Thu, 25 Oct 2018 08:27:32 -0400
Richard Guy Briggs wrote:
> On 2018-10-25 06:49, Paul Moore wrote:
> > On Thu, Oct 25, 2018 at 2:06 AM Steve Grubb
> > wrote:
> > > On Wed, 24 Oct 2018 20:42:55 -0400
> > > Richard Guy Briggs wrote:
> > &g
On Thu, 25 Oct 2018 16:40:19 -0400
Paul Moore wrote:
> On Thu, Oct 25, 2018 at 1:38 PM Richard Guy Briggs
> wrote:
> > On 2018-10-25 17:57, Steve Grubb wrote:
> > > On Thu, 25 Oct 2018 08:27:32 -0400
> > > Richard Guy Briggs wrote:
> > >
> &
On Wed, 14 Nov 2018 19:57:07 -0500
Richard Guy Briggs wrote:
> Hi Steve,
>
> In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
> check rather than uid") a switch was made from checking "getuid() !=
> 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via
> audit_can_control()
On Thu, 15 Nov 2018 08:23:46 -0500
Richard Guy Briggs wrote:
> > I thought that the prime audit connection requires a capability
> > check to ensure a process without proper privilege does not replace
> > the audit daemon...since that's now possible. Are there privilege
> > checks for who can con
On Thursday, November 15, 2018 9:11:36 PM EST Richard Guy Briggs wrote:
> > My understanding was that CAP_AUDIT_READ was required by everything
> > that read, including unicast. That is why it checks that capability
> > CAP_AUDIT_READ. Shouldn't everything reading need that capability?
>
> No. CO
On Saturday, November 17, 2018 5:50:20 PM EST Kay Mccormick wrote:
> I have configured 3 servers to send their audit events to my centralized
> host. I am using port 60 and private network addresses that are supported
> between the hosts. My iptables/nftables rules
> allow all traffic from the spec
On Friday, November 16, 2018 12:10:01 PM EST Richard Guy Briggs wrote:
> Since the vast majority of files (99.993% on a typical system) have no
> fcaps, display "0" instead of the full zero-padded 16 hex digits in the
> two PATH record cap_f* fields to save netlink bandwidth and disk space.
>
> Si
On Tuesday, November 20, 2018 10:48:20 AM EST Richard Guy Briggs wrote:
> On 2018-11-20 09:17, Miklos Szeredi wrote:
> > On Mon, Nov 19, 2018 at 11:59 PM Richard Guy Briggs
wrote:
> > > The simple answer is that the audit PATH record format expects the four
> > > cap_f* fields to be there and a b
On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> Hi,
>
> I wrote a program to listen to iptables modification through netlink
> sockets, for this I used NETLINK_AUDIT family, when I execute the program
> and modify the iptables rule, program doesn't receive any message from
> k
On Saturday, November 24, 2018 10:37:41 AM EST Ranran wrote:
> Is there a way to encrypt the auditd logs which are saved to disk?
> The system need to save logs from local into disk (not a remote
> connection), but it should be saved encryped. Is there a way to do it
Typically audit logs are prote
On Tuesday, November 13, 2018 11:30:55 AM EST Paul Moore wrote:
> On Tue, Nov 13, 2018 at 10:25 AM Ondrej Mosnacek
wrote:
> > On Tue, Nov 6, 2018 at 9:19 PM Paul Moore wrote:
> > > On Tue, Nov 6, 2018 at 3:09 AM Ondrej Mosnacek
wrote:
> > > > On Tue, Nov 6, 2018 at 12:30 AM Paul Moore
wrote:
On Monday, December 3, 2018 2:13:43 AM EST Kay Mccormick wrote:
> I am trying to log only to a remote machine so I have set:
>
> write_logs = no
>
> in my auditd.conf. Unfortunately, when I restart auditd it does not appear
> to respect my configuration choice.
Accoring to your output, you are r
On Monday, December 3, 2018 12:26:39 PM EST Vincent Fiset wrote:
> I got a minimal audit.rules file containing:
>
> # cat -n /etc/audit/audit.rules
> 1 -D
> 2
> 3 -b 8192
> 4
> 5 -e 0
Why are you ^^^ disabling the audit system? You may want to try commenting
that out.
On Monday, December 3, 2018 8:06:17 PM EST litaibaich...@gmail.com wrote:
> Hi Guys,
>
> I tried to use code like the following to create a file and I am wathcing
> /data/Documents:
>
> # auditctl -l
> -w /data/Documents -p rwa
>
> my_open(const char *path, int flags, mode_t mode)
> {
> char *n
On Tuesday, December 4, 2018 9:26:29 AM EST Vincent Fiset wrote:
> here are the flags that I see in proc/config:
>
> $ zgrep -i audi /proc/config.gz
> CONFIG_AUDIT_ARCH=y
> CONFIG_AUDIT=y
> CONFIG_HAVE_ARCH_AUDITSYSCALL=y
> CONFIG_AUDITSYSCALL=y
> CONFIG_AUDIT_WATCH=y
> CONFIG_AUDIT_TREE=y
> CONFI
On Tuesday, December 4, 2018 10:15:47 AM EST Vincent Fiset wrote:
> > strace /sbin/auditctl -a always,exclude -F msgtype=CWD > log 2>&1
>
> Unfortunately I already tried that before, strace was not revealing
> anything obvious (for me at least)
There's info in there.
> sendto(4,
> "\34\3\0\0\
On Saturday, December 22, 2018 6:01:43 PM EST Burn Alting wrote:
> When running ausearch against a single file with the --checkpoint option,
> the file's device number and inode are not recorded in the resultant
> checkpoint file.
>
> That is for the most recent released audit package
>[root@a
Hello,
On Tuesday, January 8, 2019 12:09:57 AM EST Simon Außerlechner wrote:
> Using the Linux kernel audit system I audit program executions with the
> following audit rule.
>
> -w /usr/sbin/my-program -p x -k my-program-audit-class
>
> In order to keep the audit log clean I want to suppress ex
On Mon, 14 Jan 2019 17:58:58 -0500
Paul Moore wrote:
> On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> wrote:
> >
> > Tie syscall information to all CONFIG_CHANGE calls since they are
> > all a result of user actions.
Please don't tie syscall information to this. The syscall will be
sendto
On Thu, 17 Jan 2019 08:21:40 -0500
Paul Moore wrote:
> On Thu, Jan 17, 2019 at 4:33 AM Steve Grubb wrote:
> > On Mon, 14 Jan 2019 17:58:58 -0500
> > Paul Moore wrote:
> >
> > > On Mon, Dec 10, 2018 at 5:18 PM Richard Guy Briggs
> > > wrote:
> &g
On Sat, 19 Jan 2019 18:40:14 -0500
Nowakowski Media wrote:
> If the audit messages would shift up 1 from the first_event you could
> track the performance of the audit daemon. Having 2 messages typed
> with the same number is confusing.
I am not sure I understand what you asking about. The audit
On Mon, 21 Jan 2019 09:36:43 +0100
Ondrej Mosnacek wrote:
> On Sat, Jan 19, 2019 at 2:23 PM Richard Guy Briggs
> wrote:
> > On 2019-01-18 11:04, Ondrej Mosnacek wrote:
> > > In case a file has an invalid context set, in an AVC record
> > > generated upon access to such file, the target context
On Mon, 21 Jan 2019 15:30:09 +0100
Ondrej Mosnacek wrote:
> On Mon, Jan 21, 2019 at 11:26 AM Steve Grubb
> wrote:
> > On Mon, 21 Jan 2019 09:36:43 +0100
> > Ondrej Mosnacek wrote:
> >
> > > On Sat, Jan 19, 2019 at 2:23 PM Richard Guy Briggs
> > > wr
On Mon, 28 Jan 2019 11:26:51 -0500
Paul Moore wrote:
> On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia - DE/Ulm)
> wrote:
> > Hello Paul,
> >
> > On 28/01/2019 15:52, Paul Moore wrote:
> > > time also enables syscall auditing; this patch simplifies the
> > > Kconfig menus b
On Mon, 28 Jan 2019 15:08:56 -0500
Paul Moore wrote:
> On Mon, Jan 28, 2019 at 3:03 PM Steve Grubb wrote:
> > On Mon, 28 Jan 2019 11:26:51 -0500
> > Paul Moore wrote:
> >
> > > On Mon, Jan 28, 2019 at 10:38 AM Sverdlin, Alexander (Nokia -
> > &g
On Fri, 1 Feb 2019 17:03:49 -0600
Wajih Ul Hassan wrote:
> Hi,
> Hi, I have a C application which needs to send a message to audit.log
> from userspace. I have been using `auditctl -m` format to send a
> message to audit.log using `system` command but it seems to degrade
> performance a lot of my
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Fix segfault on shutdown
- Fix hang on startup (#1587995)
- Add sleep to script to dump state so file is ready when ne
ak
> Date: 2019-03-05 02:14
> To: linux-audit
> Subject: Re: audit 2.8.5 released
>
>
> On 3/1/19 2:33 PM, Steve Grubb wrote:
> > Hello,
> >
> > I've just released a new version of the audit daemon. It can be
> > downloaded from http://people.red
On Thursday, March 7, 2019 7:32:53 AM EST Ondrej Mosnacek wrote:
> Emit an audit record whenever the system clock is changed (i.e. shifted
> by a non-zero offset) by a syscall from userspace. The syscalls than can
> (at the time of writing) trigger such record are:
> - settimeofday(2), stime(2),
On Thursday, March 7, 2019 7:32:54 AM EST Ondrej Mosnacek wrote:
> Emit an audit record every time selected NTP parameters are modified
> from userspace (via adjtimex(2) or clock_adjtime(2)).
>
> Such events will now generate records of type AUDIT_TIME_ADJNTPVAL
> containing the following fields:
On Wednesday, March 20, 2019 8:50:08 PM EDT Richard Guy Briggs wrote:
> On 2019-03-20 19:48, Paul Moore wrote:
> > On Sat, Mar 16, 2019 at 8:10 AM Richard Guy Briggs
wrote:
> > > In commit fa516b66a1bf ("EVM: Allow runtime modification of the set of
> > > verified xattrs"), the call to audit_log_
On Monday, March 25, 2019 10:38:02 PM EDT zhangqi (DI) wrote:
>I think there is a memory leak bug in userspace audit, correct me if
> I'm wrong.
Thanks for reporting this. Upstream commits 1af601f and a4ed200 fix this.
-Steve
> Audit-2.8.5 has introduced a performance improvement for l
Hello,
On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." wrote:
> it seems that the option fails to display the second object for rename
> action.
Which kernel are you using and which audit release are you using?
-Steve
> interactive format correctly show renaming the file
> 5M2w0d4eagxxig9KYM5.fil
On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." wrote:
> it seems that the option fails to display the second object for rename
> action.
To catch everyone up, it turns out this is audit-2.8.4 and kernel
3.10.0-957.el7.x86_64.
> interactive format correctly show renaming the file
> 5M2w0d4eagxxig9K
On Fri, 5 Apr 2019 11:35:03 -0700
Lukas Rupprecht wrote:
> Hi All,
>
> I'm, having problems with the example audisp plugin from
> https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c
> as sometimes, events seem to be delayed.
It is always helpful to list w
On Mon, 8 Apr 2019 23:52:29 -0400
Richard Guy Briggs wrote:
> When a process signals the audit daemon (shutdown, rotate, resume,
> reconfig) but syscall auditing is not enabled, we still want to know
> the identity of the process sending the signal to the audit daemon.
Why? If syscall auditing
On Tue, 9 Apr 2019 10:02:59 -0400
Richard Guy Briggs wrote:
> On 2019-04-09 08:01, Steve Grubb wrote:
> > On Mon, 8 Apr 2019 23:52:29 -0400 Richard Guy Briggs
> > wrote:
> > > When a process signals the audit daemon (shutdown, rotate, resume,
> > > reco
On Tue, 9 Apr 2019 11:57:28 -0400
Richard Guy Briggs wrote:
> On 2019-04-09 17:37, Steve Grubb wrote:
> > On Tue, 9 Apr 2019 10:02:59 -0400
> > Richard Guy Briggs wrote:
> >
> > > On 2019-04-09 08:01, Steve Grubb wrote:
> > > > On Mon, 8
On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote:
> Records that are triggered by an AUDIT_SIGNAL_INFO message including
> AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
> AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
> reporting of signal info an
On Monday, April 15, 2019 12:21:49 PM EDT Richard Guy Briggs wrote:
> On 2019-04-15 10:58, Steve Grubb wrote:
> > On Monday, April 15, 2019 9:02:36 AM EDT Richard Guy Briggs wrote:
> > > Records that are triggered by an AUDIT_SIGNAL_INFO message including
> > &g
On Tuesday, April 16, 2019 3:57:51 PM EDT Richard Guy Briggs wrote:
> On 2019-04-15 17:10, Steve Grubb wrote:
> > On Monday, April 15, 2019 12:21:49 PM EDT Richard Guy Briggs wrote:
> > > On 2019-04-15 10:58, Steve Grubb wrote:
> > > > On Monday, April 15, 2019 9:0
On Wednesday, April 17, 2019 9:01:56 AM EDT Ray Shaw wrote:
> I've been struggling to set up audisp-remote with krb5 enabled, and also
> struggling to find much information/guidance regarding it.
A knowledge base article has been written to help describe how to do this:
https://access.redhat.com/a
On Friday, May 3, 2019 3:31:39 PM EDT Joshua Ammons wrote:
> Hello, I just wanted to see if anyone has had much success with configuring
> redhat systems to reduce and/or eliminate the occurrence of auid = unset
> in the audit events?
auid = unset is a natural thing. Typically it indicates that a
Hello,
On Monday, May 13, 2019 3:43:54 PM EDT Ondra N. wrote:
> I would like to ask a question about auditing write syscalls. I am trying
> to monitor all filesystem changes in a specific directory and process the
> changes in near real time - audispd, was very helpful with that.
>
> What concer
On Friday, May 10, 2019 12:21:57 PM EDT Richard Guy Briggs wrote:
> Records that are triggered by an AUDIT_SIGNAL_INFO message including
> AUDIT_DAEMON_CONFIG (HUP), AUDIT_DAEMON_ROTATE (USR1),
> AUDIT_DAEMON_RESUME (USR2) and AUDIT_DAEMON_END (TERM) have inconsistent
> reporting of signal info and
On Thursday, May 16, 2019 7:00:38 PM EDT Lenny Bruzenak wrote:
> If I add a new user with the "useradd" utility, it submits a ADD_USER
> event, but the event itself has no interpretation for the new UID.
What exactly was typed in at the command line? This is caused by this line of
code:
https://
Hello,
Are there any objections to dropping support for the Alpha and IA64
processors in the master branch of audit user space? I would like to reduce
the maintenance burden and if noone is using these, I'll delete them on May
24.
Thanks,
-Steve
--
Linux-audit mailing list
Linux-audit@redhat
On Monday, May 20, 2019 11:39:09 AM EDT Lenny Bruzenak wrote:
> On 5/17/19 7:44 AM, Steve Grubb wrote:
> > On Thursday, May 16, 2019 7:00:38 PM EDT Lenny Bruzenak wrote:
> >> If I add a new user with the "useradd" utility, it submits a ADD_USER
> >&g
On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote:
> On 5/20/19 2:59 PM, Steve Grubb wrote:
> > So...I went digging through the source code of useradd.c. In main is this
> >
> > comment:
> > /*
> >
> > * Do the hard
On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote:
> On 5/20/19 2:59 PM, Steve Grubb wrote:
> > So...I went digging through the source code of useradd.c. In main is this
> >
> > comment:
> > /*
> >
> > * Do the hard
On Tuesday, May 28, 2019 6:26:47 PM EDT Paul Moore wrote:
> On Tue, May 28, 2019 at 5:54 PM Daniel Walsh wrote:
> > On 4/22/19 9:49 AM, Paul Moore wrote:
> > > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman
wrote:
> > >> On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> > >>> Im
Hello,
On Wednesday, May 22, 2019 4:08:06 PM EDT Zephyr Pellerin wrote:
> While running `aureport -tm', I recieved a segmentation fault, I won't be
> able to attach the core dump but I've tried include rudimentary information
> about the crash.
Out of curiosity, which version of the audit package
On Wednesday, May 29, 2019 11:57:48 AM EDT Steve Grubb wrote:
> Hello,
>
> On Wednesday, May 22, 2019 4:08:06 PM EDT Zephyr Pellerin wrote:
> > While running `aureport -tm', I recieved a segmentation fault, I won't be
> > able to attach the core dump but
Hello,
On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
> I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the
> audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
> USER_LOGIN record types at all, Only USER_LOGIN types.
>
> As I understand these recor
On Wednesday, May 29, 2019 6:26:12 PM EDT Paul Moore wrote:
> On Mon, Apr 22, 2019 at 9:49 AM Paul Moore wrote:
> > On Mon, Apr 22, 2019 at 7:38 AM Neil Horman
wrote:
> > > On Mon, Apr 08, 2019 at 11:39:07PM -0400, Richard Guy Briggs wrote:
> > > > Implement kernel audit container identifier.
>
On Friday, April 26, 2019 12:59:45 PM EDT Richard Guy Briggs wrote:
> Provide a method to filter on network address family.
>
> This adds support for the kernel filter for sockaddr family,
> AUDIT_SADDR_FAM, adding the command line option "saddr_fam" to auditctl.
>
> See: https://github.com/linux
Hello Paul,
I am curious about this. We seemed to be close to getting this patch pulled
in. A lot of people are waiting for it. Can you summarize what you think the
patches need and who we think needs to do it? I'm lost. Does LXC people need
to propose something? Does Richard? Someone else? Who
On Thursday, June 6, 2019 9:31:41 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Dear List,
>
> It would be really great if there were an audit rule hit counter like many
> firewalls have when IP traffic passes through a filter rule.
>
> This would be beneficial for finding rules that might not be work
Hello,
On Friday, May 17, 2019 2:38:25 PM EDT Steve Grubb wrote:
> Are there any objections to dropping support for the Alpha and IA64
> processors in the master branch of audit user space? I would like to reduce
> the maintenance burden and if noone is using these, I'll delete th
On Tuesday, June 11, 2019 8:14:30 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Does anyone have any ideas how to prevent the journal from filling up with
> events that come from audispd?
On RHEL 7, there is no systemd-journald-audit.socket. So, if you are wrapping
events to syslog, then that is how i
On Tuesday, June 11, 2019 2:56:23 AM EDT Tarun Ramesh wrote:
> The callback function on_audit_event() just goes through the records one by
> one and prints the fields and values. I have added a rule to watch for
> file edits in the /home folder. I see the records for file creation in
> this folder
Hello,
This is to let everyone know that another audit-3.0 pre-release was made.
This rolls up a lot more fixes in the master branch since the last pre-release
was announced. Despite the designation of alpha, I feel that this is a
production quality release and can be treated that way. It has b
Hello,
On Wednesday, June 12, 2019 3:05:40 AM EDT Tarun Ramesh wrote:
> Also I noticed that the EOE record is treated as its own event even though
> there were other records with the same audit serial number. I guess this is
> expected as after EOE there will be no more records for this event and
1 - 100 of 2654 matches
Mail list logo