Skip to main content

Questions tagged [audit]

Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system

Filter by
Sorted by
Tagged with
3 votes
1 answer
181 views

Fedora 40: auditctl doesn't audit creating, editing and deleteing to files as expected

Many thanks the @Romeo Ninov's help! The mistakes I made are should use file /etc/audit/rules.d/audit.rules to add a rule for RedHat 7 & 8 should use service auditd restart to restart auditctl ...
ildvzg68472's user avatar
0 votes
0 answers
38 views

K8s and Linux Audit Logs Missing From Splunk OTEL Collected Logs

I'm migrating from the Splunk Connect for Kubernetes Helm Chart to the SignalFX Splunk Otel Collector Helm Chart. I'm having trouble translating the custom filters that we have in the SCK chart to add ...
Dejon Gill's user avatar
1 vote
0 answers
47 views

Audit trasspasing information

I would like to know if there is a way to audit what files a user is "passing" from the file server to their local environment. I have the event viewer enabled but I can only see which file ...
Jose Antonio Gil Romero's user avatar
0 votes
1 answer
168 views

How to enable service installation event (event id 4697) in windows 7?

In windows 10, after I use the following command to enable Security System Extension: auditpol /set /subcategory:"Security System Extension" /success:enable /failure:disable Whenever a new ...
OneAndOnly's user avatar
1 vote
2 answers
172 views

Splunk Enterprise - Configure to drop specific events

I have a simple Splunk set-up.  about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the ...
Egyas's user avatar
  • 185
0 votes
1 answer
253 views

How do I use Azure Log Analytics to discover what a service account is doing when it signs in?

I have started working as sysadmin at a company that uses Microsoft 365. Before I started a few generically named accounts with the Global Administrator role were being used by multiple people to do ...
dunxd's user avatar
  • 9,724
0 votes
0 answers
73 views

OpenShift action audit log

Good day everyone ! I am looking if there is any way to audit or look at a audit log for any specific actions done by a specific user on a deployment for example. My goal would be to see, who scaled ...
yield's user avatar
  • 810
0 votes
1 answer
502 views

How to create a GPO to audit start/stop of a service not running on the DC?

I'm trying to enable auditing of service start/stop events for a few specific services on a group of domain computers, and to make this change using Group Policy. I've seen this answer, however when I ...
zedworks's user avatar
1 vote
0 answers
268 views

How to set proctitle to ascii in auditd?

I configured auditd to send the logs to SIEM through rsyslog. But when I get those logs the proctitle is in hex. Ex.: <134>Aug 25 17:08:44 vmauditd tag_audit_log: node=vmauditd type=PROCTITLE ...
Sandson Costa's user avatar
0 votes
1 answer
4k views

Linux Auditd: Error receiving audit netlink packet (No buffer space available)

I have some Linux servers that are getting errors like the below in the logs... auditd[1074]: Error receiving audit netlink packet (No buffer space available) I know HOW to resolve the issue (tweak ...
Egyas's user avatar
  • 185
0 votes
1 answer
193 views

Cannot limit file access auditing on Windows Server 2019

I'm trying to implement file access auditing on a Windows Server 2019 machine with mixed success. The server in question is a member server, but not a domain controller. I have enabled success ...
CatchAsCatchCan's user avatar
1 vote
1 answer
123 views

trace kubernetes users activities in pods

I want to track users activities in a k8s cluster. for example I want to get k8s username of a user that executes a command in a pod. there is a tool named Tetragon. it can uses k8s api. following log ...
Michael Cab's user avatar
0 votes
1 answer
149 views

Send kubernetes audit logs to multiple servers

How to send k8s audit logs to multiple servers/endpoints? I tried to pass multiple --audit-webhook-config-file arguments to kube-apiserver add another cluster to the webhook config file but these ...
Petr Javorik's user avatar
1 vote
2 answers
924 views

What can you do when auditd halts the system?

I recently had an issue where my server powered off in the middle of running a script, seemingly randomly, but at about the same point each time, and then whenever I tried to power the server on again ...
Dave's user avatar
  • 111
1 vote
1 answer
157 views

Auditd - Don't log events from salt-minion

I'm updating our Auditd rules (Red Hat Linux) to log all tty/interactive commands from all users. That part works no problem. What I'm trying to do now is to exclude commands issued by our salt-...
Egyas's user avatar
  • 185
0 votes
0 answers
298 views

Windows 2019: Audit policy being overwritten by "something"

I have similar problem as it was described in thread below: Audit policy being overwritten by "something" unfortunately deletion of audit.csv did not help let me summarize problem: we are ...
Jan kratochvíl's user avatar
0 votes
0 answers
130 views

why almalinux is hanging over night with auditlog

hey there is a hosting server overnight my server hanged up and must to restart it in morning to get it back online and saw this error in my console (you can see the picture) please help me https://...
ali rahmani's user avatar
0 votes
0 answers
143 views

Auditing Domain Administrators - Best practice / Advice needed please

Please do advise if I am posting in the wrong place, I have not found this the easiest site to navigate (or maybe it is me...). I have been tasked with auditing and fixing our privileged accounts ...
J Thompson's user avatar
1 vote
0 answers
27 views

HashiCorp Vault User Audit Capability

We're seeking a solution to enable us audit our HashiCorp Vault instance to obtain a namespace breakdown of: For each Vault user, the roles or groups that their entity belongs to. Having reviewed ...
hitman126's user avatar
0 votes
1 answer
2k views

Can I see a printer's log about who connected to a network printer?

There's been a problem at work about a given printer that you have to connect to using a printers' server. I don't control the server itself, but if there's a log that I can require to the server ...
newbie's user avatar
  • 101
0 votes
0 answers
460 views

Windows audit "Removable Storage" not generating an event for file deletion

I have a Windows 10 system on which I have enabled removable storage audits (via GPO: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy ...
tjlds's user avatar
  • 23
0 votes
1 answer
243 views

Losing Audit Logs When Tracing a Container

As you know, Linux Audit is not installed on Ubuntu Focal by default. I installed it, and my goal is to trace what containers do. I have this seccomp profile: { "defaultAction": &...
MoeKav's user avatar
  • 1
1 vote
1 answer
105 views

RHEL 8: Administrator vs. Auditor role

On RHEL 8, are there prepared functions, methods, processes or tools to implement administrator/operator and auditor roles in the following way: An administrator/operator should be able to do almost ...
stackprotector's user avatar
1 vote
0 answers
219 views

auditd killing a server?

In /var/log/kernellog we can see many entries for audit (since we have "space_left_action = SYSLOG" and "write_logs = no"): ... audit: audit_backlog=32769 > audit_backlog_limit=...
jim7475's user avatar
  • 51
2 votes
1 answer
163 views

"aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)

On one of the machines running Centos i.e. cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) i found something strange by the command aureport -x --summary aureport -x --summary ...
Tito's user avatar
  • 143
1 vote
1 answer
1k views

stop kernel audit messages logged in syslog without disabling auditing

OS: CentOS 7 I am trying to figure out how audit (kaudit) events are logged in /var/log/messages. I have enabled audit=1 in grub which means when the server boots, kernel auditing is enabled. This is ...
giomanda's user avatar
  • 1,894
1 vote
2 answers
357 views

Google Cloud - Hipaa Compliance - PgAudit vs IAM Audit Logs

Our infrastructure is hosted on Google Cloud and uses postgresql instances via Cloud SQL I need to configure logging for HIPAA compliance. I have read 2 articles from Google's documentation: https://...
Shawn Northrop's user avatar
0 votes
1 answer
1k views

Event 4771 (Bad Password Logon) Does not show proper client

We are having issues with frequently locked out accounts. We are having 4771 {Bad Password} events on our main DC. Issue: Within the event, the client machine is not properly shown. Instead another DC ...
Julian Bechtold's user avatar
4 votes
5 answers
6k views

How can root start a process that only root can kill?

It is easy to start a process at background or make it as systemd service. However, if I want to start a process that monitors activities on the Linux machine, it fells to the target of attacks. If ...
George Y's user avatar
  • 568
0 votes
1 answer
77 views

daemonized alternative to tcpdump to save mirrored traffic

I need to save mirrored traffic for audit purposes. Traffic for audited server is send to other server. I need to capture that traffic on dedicated interface, save it to pcap files of reasonable scope ...
George Shuklin's user avatar
0 votes
2 answers
2k views

How log commands executed by user

First at all, I have working some years with snoopy and it's not what I need, also checking history file isn't a solution for me. I have to give ROOT access to a developer to install a program on the ...
Nimafire's user avatar
2 votes
1 answer
4k views

CentOS doesn't boot with "A stop job is running for Security Auditing Service" message

CentOS prints the following during boot [ *** ] A stop job is running for Security Auditing Service (9s / 1min 30s) and then switches into the single user mode.
McLayn's user avatar
  • 193
1 vote
0 answers
267 views

Monitoring IPv6 connection via auditd

some time i was interested in monitoring TCP/UDP connections with detailed information about process that initiated connection I'have found helpful article about that - Finding short-lived TCP ...
Bormental's user avatar
3 votes
0 answers
216 views

Why are docker permission errors not logged by selinux?

If you try to bind mount a directory into a container under Red Hat you might have problems with selinux. The directory will be unreadable from inside the container. Unless you add a z/Z volume option....
x-yuri's user avatar
  • 2,328
3 votes
0 answers
396 views

Configuring Solaris audit to include username into his events

Need to configure audit logging in Solaris but I have a problem. There are two SunOS servers which were configured before. When I started analysing logs I found out that in Solaris 10 I can see the ...
agatt's user avatar
  • 31
1 vote
0 answers
217 views

What makes a selinux-caused EACCESS to not be logged in audit

I've got a system with samba running with standard targetted policy for Fedora. At some point samba is trying to access a directory tagged unconfined_u:object_r:unlabeled_t:s0 and fails. Through ...
viraptor's user avatar
  • 1,176
0 votes
1 answer
29 views

Identifying user activity/processes from log message on remote machine - 10.0.0.2 - user A, using service account B trying to connect to 10.0.0.3

I just inherited an older Linux server. I am getting asked to identify and stop a process initiated by a user. How can I go about identifying what process a user is executing that matches the logs ...
kawi1000's user avatar
1 vote
1 answer
292 views

Detecting Windows Physical Console Logon

I'm trying to find a way to detect a logon where someone is physically at the machine. I know you can do it with Type 2 but the issue is that events get logged when services make a logon request such ...
Jason's user avatar
  • 3,941
0 votes
1 answer
164 views

How long should accounts be deactivated before being deleted?

How long should accounts be deactivated before being deleted? Should accounts be deactivated? For example, our organization uses 1Password Business, which allows for accounts to be deactivated. How ...
dr_pardee's user avatar
0 votes
0 answers
650 views

Windows Server 2019 - Audit which human-user who restart a service

Trying to audit which AD-user who actually restart a service on a particular service. The service (MyService) is using a serviceaccount to run and get access to different resources. I want to audit ...
TheSwede86's user avatar
0 votes
0 answers
1k views

pam_tty_audit collect only TTY events

I'm trying to put together a TTY logging feature under Ubuntu 18.04 server and created /etc/pam.d/tty-audit with the following content: session required pam_tty_audit.so enable=* and added that ...
mc88's user avatar
  • 3
2 votes
1 answer
225 views

Linux audit files(data=)

type=TTY msg=audit(08/12/2020 02:33:30.163:107) : tty pid=2709 uid=e4ws5 auid=root ses=1 major=4 minor=1 comm=sh data="/bin/bash -i",<nl> Can anyone tell me how in this audit.log there ...
Vexer's user avatar
  • 23
0 votes
1 answer
195 views

How to enable file auditing for exchange server V15 folder

So I want to enable auditing on this specific folder V15 located under program files>Microsoft>Exchange server But on the auditing tab I get a Message "you must be an administrator or have ...
David Kent's user avatar
0 votes
0 answers
73 views

Logging SSH commands on Linux - is custom kernel the only way?

I've done some research and it looks like that the way linux keeps history is less about security and audit and more about helping the user. Even after making changes to instantly log the command and ...
Jason's user avatar
  • 3,941
1 vote
1 answer
2k views

RHEL: Splitting auditd logs into multiple files for different rules

We have an audit.rules defined and things in rules.d. Many of these are for RHEL CIS compliance and others are more specific for Docker CIS compliance. One problem we are having is that certain rules ...
JD D's user avatar
  • 151
0 votes
1 answer
3k views

Logging all failed authentication attempts against Active Directory

I need to log all failed authentication attempts against my Active Directory domain. An external app binds to MS AD via LDAPS and uses AD for user authentication requests. When the wrong user or ...
Dave M's user avatar
  • 71
2 votes
1 answer
1k views

Comparing two Linux servers for any differences [closed]

I tried to find a similar post, but couldn't. Apologies if this is a duplicate. We have a number of RHEL6 servers hosting different applications. Over time, these servers have had some tweaks to ...
suchafunkymonkey's user avatar
1 vote
1 answer
975 views

Auditd not sending to remote central server

I'm setting up a central server using rsyslog and auditd on CentOS 8. I was following this guide on how to send remote audit logs to my central server. Note: instead of going to /etc/audisp/, these ...
Gwynn's user avatar
  • 13
1 vote
1 answer
2k views

how to audit a reboot?

Quick and simple question: How to I use auditd to log a system reboot? I tried using the reboot syscall to no avail. I could imagine that the audit daemon is stopped before the actual syscall is made. ...
Arpton's user avatar
  • 11
0 votes
3 answers
5k views

Security Log Event ID 4625 - An account failed to log on every few minutes - random source IP addresses

A fairly new MS Windows Server 2019 VM installation is logging over a hundred Security Log Audit Failures a day with Event ID 4625. RDP for the server is enabled only for a single trusted WAN source ...
cb2791's user avatar
  • 11

1
2 3 4 5
7