Jan 3
Kali Linux lab logging that survives reboots: set journald persistence + auditd exec rules, avoid what most people miss, use the 10-minute checklist—start now.
seen from Malaysia
seen from United Kingdom
seen from Brazil
seen from United Kingdom
seen from United Kingdom
seen from Malaysia
seen from United States
seen from United States
seen from Yemen
seen from China
seen from United States
seen from South Africa
seen from United States
seen from United States
seen from China
seen from United Kingdom
seen from Romania
seen from United States
seen from China
seen from Canada
Kali Linux lab logging that survives reboots: set journald persistence + auditd exec rules, avoid what most people miss, use the 10-minute checklist—start now.
Cómo configurar Auditd en Rocky Linux 9 para auditar el sistema
Cómo configurar Auditd en Rocky Linux 9 para auditar el sistema #Linux #RockyLinux #auditd
Auditd es uno de esos servicios de Linux con los que puedes tener una bonita relación de amor, odio a partes iguales, pero en cualquier caso, siempre es recomendable tenerlo activo en tu sistema, y, sobre todo, tener unas buenas reglas de auditoría de tu sistema. Te voy a contar cómo instalarlo en Rocky Linux 9 y que reglas estoy usando yo. Puedes ver otras cosas que he hecho en el servidor en…
F27 rpmdb bug, auditd and augenrules
Saw a similar rpmdb lock bug to this: https://bugzilla.redhat.com/show_bug.cgi?id=918184 Have enabled the audit log to watch out for it in the future.
ush@gargantua ~]$ sudo dnf update [sudo] password for ush: warning: rpmdb: BDB2053 Freeing read locks for locker 0xc24: 12836/139735431249280
The auditd logging system is completely independent of syslog and derivatives http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ Q: is it now more integrated with journald? PanuMatilainen suggested https://bugzilla.redhat.com/show_bug.cgi?id=918184#c1
# echo "-w /var/lib/rpm/Packages -p war -k rpmdb" >> /etc/audit/audit.rules # systemctl restart auditd.service After that, the next time that something has misbehaved and you get those "freeing read locks ...: /" messages, you can look rpmdb accessing processes by their pid with # ausearch -k rpmdb --pid To identify the troublemaker for sure, the pid of the "freeing read locks" message needs to be matched to those of audit logs. Taking the original message as an example: BDB2053 Freeing read locks for locker 0x1bf4: 4981/140246004406208 Here, the pid of the naughty process who left locks behind is 4981. So to search for the process that caused it, you need to do: # ausearch -k rpmdb --pid 4981
Instead have appended the new audit rule to /etc/audit/rules.d/audit.rules The systemctl restart of the auditd is no longer possible. Use augenrules instead. Do I really need to disable the -a never,task and what is its actual impact on performance?:
[ush@gargantua ~]$ sudo auditctl -l -a never,task [ush@gargantua ~]$ sudo augenrules --load No rules [ush@gargantua ~]$ sudo auditctl -l -a never,task -w /var/lib/rpm/Packages -p rwa -k rpmdb
This seems to be the best reference (is pointed to in the systemd unit) https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events https://security.stackexchange.com/questions/4629/simple-example-auditd-configuration Seems like the rules should be broken into 3 types in /etc/audit/rules.d/audit.rules (for clarity): CONTROL, FILE/DIRECTORY, SYSCALL (see man audit.rules). Syscall rules should follow the template:
-a action,list -S syscall -F field=value -k keyname
-a {always,never},{task,exit,user,exclude} -S {name or number} -S {othername or number} -F {auid,uid,euid,suid,fsuid,obj_uid,gid,egid,sgid,fsgid,obj_gid} -k $keyname-defined-by-you
Then
aureport --start this-week --key --summary
This related post is interesting in context of how augenrules works by merging all the contents of rules.d https://github.com/OpenSCAP/scap-security-guide/issues/551 This is a good first part of two-part tutorial https://www.tecmint.com/linux-system-auditing-with-auditd-tool-on-centos-rhel/
Fixed: Files disappearing on linux server #solution #computers #dev
Fixed: Files disappearing on linux server #solution #computers #dev
Files disappearing on linux server
I’ve got 4 specific files that seem to keep disappearing from a user’s home directory. As far as we know, there are no cronjobs or other automated tasks that would be removing them. I’ve setup auditd on them but the logs aren’t really showing anything of interest. I can see our backup utility accessing them every night until the point they aren’t there anymore,…
View On WordPress
How to: File audit in Linux: how to watch directory tree for deletions? #fix #development #it
How to: File audit in Linux: how to watch directory tree for deletions? #fix #development #it
File audit in Linux: how to watch directory tree for deletions?
I have a forum script running on server and somehow small number of attachments begin to get lost. I want to find out what is deleting them and at what time. How can I setup Linux auditd (auditctl) to watch directory tree (attachments are stored inside multi-level directory tree) to watch for file deletions there?
May be I should…
View On WordPress
Fixed: File audit in Linux: how to watch directory tree for deletions? #dev #fix #answer
Fixed: File audit in Linux: how to watch directory tree for deletions? #dev #fix #answer
File audit in Linux: how to watch directory tree for deletions?
I have a forum script running on server and somehow small number of attachments begin to get lost. I want to find out what is deleting them and at what time. How can I setup Linux auditd (auditctl) to watch directory tree (attachments are stored inside multi-level directory tree) to watch for file deletions there?
May be I should…
View On WordPress
Who changed the permissions on that file?
Linux 3.8.13
Sometimes you have a situation where someone or something is changing the permissions on a file and you need to know who or what process is doing it. Below is one method which uses the Linux audit mechanism, which has been around since 2.6.
[root@web01 /home/ryan]# /etc/init.d/auditd start [root@web01 /home/ryan]# auditctl -a exit,always -S fchmodat -S chmod -S fchmod WARNING - 32/64 bit syscall mismatch, you should specify an arch [root@web01 /home/ryan]# auditctl -w /home/ryan/timmy3 -p a [root@web01 /home/ryan]# auditctl -l -a always,exit -S chmod,fchmod,fchmodat -w /home/ryan/timmy3 -p a [root@web01 /home/ryan]# chmod 111 timmy3 [root@web01 /home/ryan]# less /var/log/audit/audit.log [...] type=SYSCALL msg=audit(1416721355.647:32740): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=64b0f0 a2=49 a3=7fff4bb52f60 items=1 ppid=15195 pid=2405 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=554114 tty=pts0 comm="chmod" exe="/bin/chmod" key=(null) type=CWD msg=audit(1416721355.647:32740): cwd="/home/ryan" type=PATH msg=audit(1416721355.647:32740): item=0 name="timmy3" inode=761912 dev=fb:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 [...]
If you are wanting to watch a file that is hard linked, then it could exist in multiple paths and you'll have to watch activity on the inode. Continuing with the example above, let's hard link it to a file in another directory.
[root@web01 /home/ryan]# df -h /home/ryan Filesystem Size Used Avail Use% Mounted on /dev/vda3 30G 4.0G 25G 15% / [root@web01 /home/ryan]# ls -l /dev/vda3 brw-rw---- 1 root disk 251, 3 Sep 24 13:48 /dev/vda3 [root@web01 /home/ryan]# stat /home/ryan/timmy3 File: `/home/ryan/timmy3' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fb03h/64259d Inode: 761912 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-11-22 21:49:11.000000000 -0700 Modify: 2014-11-22 21:49:11.000000000 -0700 Change: 2014-11-22 21:49:11.000000000 -0700 [root@web01 /home/ryan]# auditctl -a exit,always -S fchmodat -S chmod -S fchmod -F devmajor=251 -F devminor=3 -F inode=761912 No rules WARNING - 32/64 bit syscall mismatch, you should specify an arch Error sending add rule data request (Invalid argument)
and we hit a dead end. You could re-compile audit with the patch at https://www.redhat.com/archives/linux-audit/2013-September/msg00004.html, which would probably work. I didn't try it though.
If you are running a mission critical web server, or maintaining a storage server loaded with sensitive data, you probably want to closely monitor file access activities within the server. For example, you want to track any unauthorized change in system configuration files such as /etc/passwd.
To monitor who changed or accessed files or directories on Linux, you can use the Linux Audit System which provides system call auditing and monitoring. In the Linux Audit System, a daemon called auditd is responsible for monitoring individual system calls, and logging them for inspection.
In this tutorial, I will describe how to monitor file access on Linux by using auditd.