Questions tagged [audit]
Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system
328
questions
3
votes
1
answer
181
views
Fedora 40: auditctl doesn't audit creating, editing and deleteing to files as expected
Many thanks the @Romeo Ninov's help! The mistakes I made are
should use file /etc/audit/rules.d/audit.rules to add a rule for RedHat 7 & 8
should use service auditd restart to restart auditctl ...
- 133
0
votes
0
answers
38
views
K8s and Linux Audit Logs Missing From Splunk OTEL Collected Logs
I'm migrating from the Splunk Connect for Kubernetes Helm Chart to the SignalFX Splunk Otel Collector Helm Chart. I'm having trouble translating the custom filters that we have in the SCK chart to add ...
1
vote
0
answers
47
views
Audit trasspasing information
I would like to know if there is a way to audit what files a user is "passing" from the file server to their local environment.
I have the event viewer enabled but I can only see which file ...
0
votes
1
answer
168
views
How to enable service installation event (event id 4697) in windows 7?
In windows 10, after I use the following command to enable Security System Extension:
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:disable
Whenever a new ...
- 109
1
vote
2
answers
172
views
Splunk Enterprise - Configure to drop specific events
I have a simple Splunk set-up. about 120 or so Linux servers (that are all basically appliances) w/ universal forwarder installed, and a single Linux server running Splunk Enterprise acting as the ...
- 185
0
votes
1
answer
253
views
How do I use Azure Log Analytics to discover what a service account is doing when it signs in?
I have started working as sysadmin at a company that uses Microsoft 365. Before I started a few generically named accounts with the Global Administrator role were being used by multiple people to do ...
- 9,724
0
votes
0
answers
73
views
OpenShift action audit log
Good day everyone !
I am looking if there is any way to audit or look at a audit log for any specific actions done by a specific user on a deployment for example.
My goal would be to see, who scaled ...
- 810
0
votes
1
answer
502
views
How to create a GPO to audit start/stop of a service not running on the DC?
I'm trying to enable auditing of service start/stop events for a few specific services on a group of domain computers, and to make this change using Group Policy.
I've seen this answer, however when I ...
- 1
1
vote
0
answers
268
views
How to set proctitle to ascii in auditd?
I configured auditd to send the logs to SIEM through rsyslog.
But when I get those logs the proctitle is in hex.
Ex.:
<134>Aug 25 17:08:44 vmauditd tag_audit_log: node=vmauditd type=PROCTITLE ...
- 111
0
votes
1
answer
4k
views
Linux Auditd: Error receiving audit netlink packet (No buffer space available)
I have some Linux servers that are getting errors like the below in the logs...
auditd[1074]: Error receiving audit netlink packet (No buffer space available)
I know HOW to resolve the issue (tweak ...
- 185
0
votes
1
answer
193
views
Cannot limit file access auditing on Windows Server 2019
I'm trying to implement file access auditing on a Windows Server 2019 machine with mixed success.
The server in question is a member server, but not a domain controller.
I have enabled success ...
- 193
1
vote
1
answer
123
views
trace kubernetes users activities in pods
I want to track users activities in a k8s cluster. for example I want to get k8s username of a user that executes a command in a pod. there is a tool named Tetragon. it can uses k8s api.
following log ...
- 13
0
votes
1
answer
149
views
Send kubernetes audit logs to multiple servers
How to send k8s audit logs to multiple servers/endpoints?
I tried to
pass multiple --audit-webhook-config-file arguments to kube-apiserver
add another cluster to the webhook config file
but these ...
- 230
1
vote
2
answers
924
views
What can you do when auditd halts the system?
I recently had an issue where my server powered off in the middle of running a script, seemingly randomly, but at about the same point each time, and then whenever I tried to power the server on again ...
- 111
1
vote
1
answer
157
views
Auditd - Don't log events from salt-minion
I'm updating our Auditd rules (Red Hat Linux) to log all tty/interactive commands from all users. That part works no problem.
What I'm trying to do now is to exclude commands issued by our salt-...
- 185
0
votes
0
answers
298
views
Windows 2019: Audit policy being overwritten by "something"
I have similar problem as it was described in thread below:
Audit policy being overwritten by "something"
unfortunately deletion of audit.csv did not help
let me summarize problem:
we are ...
0
votes
0
answers
130
views
why almalinux is hanging over night with auditlog
hey there is a hosting server
overnight my server hanged up and must to restart it in morning to get it back online and saw this error in my console (you can see the picture)
please help me
https://...
0
votes
0
answers
143
views
Auditing Domain Administrators - Best practice / Advice needed please
Please do advise if I am posting in the wrong place, I have not found this the easiest site to navigate (or maybe it is me...).
I have been tasked with auditing and fixing our privileged accounts ...
1
vote
0
answers
27
views
HashiCorp Vault User Audit Capability
We're seeking a solution to enable us audit our HashiCorp Vault instance to obtain a namespace breakdown of:
For each Vault user, the roles or groups that their entity belongs to.
Having reviewed ...
- 11
0
votes
1
answer
2k
views
Can I see a printer's log about who connected to a network printer?
There's been a problem at work about a given printer that you have to connect to using a printers' server.
I don't control the server itself, but if there's a log that I can require to the server ...
- 101
0
votes
0
answers
460
views
Windows audit "Removable Storage" not generating an event for file deletion
I have a Windows 10 system on which I have enabled removable storage audits (via GPO: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy ...
- 23
0
votes
1
answer
243
views
Losing Audit Logs When Tracing a Container
As you know, Linux Audit is not installed on Ubuntu Focal by default. I installed it, and my goal is to trace what containers do. I have this seccomp profile:
{
"defaultAction": &...
- 1
1
vote
1
answer
105
views
RHEL 8: Administrator vs. Auditor role
On RHEL 8, are there prepared functions, methods, processes or tools to implement administrator/operator and auditor roles in the following way:
An administrator/operator should be able to do almost ...
- 687
1
vote
0
answers
219
views
auditd killing a server?
In /var/log/kernellog we can see many entries for audit (since we have "space_left_action = SYSLOG" and "write_logs = no"):
...
audit: audit_backlog=32769 > audit_backlog_limit=...
- 51
2
votes
1
answer
163
views
"aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)
On one of the machines running Centos i.e.
cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
i found something strange by the command aureport -x --summary
aureport -x --summary
...
- 143
1
vote
1
answer
1k
views
stop kernel audit messages logged in syslog without disabling auditing
OS: CentOS 7
I am trying to figure out how audit (kaudit) events are logged in /var/log/messages.
I have enabled audit=1 in grub which means when the server boots, kernel auditing is enabled. This is ...
- 1,894
1
vote
2
answers
357
views
Google Cloud - Hipaa Compliance - PgAudit vs IAM Audit Logs
Our infrastructure is hosted on Google Cloud and uses postgresql instances via Cloud SQL
I need to configure logging for HIPAA compliance.
I have read 2 articles from Google's documentation:
https://...
google-cloud-platform
0
votes
1
answer
1k
views
Event 4771 (Bad Password Logon) Does not show proper client
We are having issues with frequently locked out accounts.
We are having 4771 {Bad Password} events on our main DC.
Issue: Within the event, the client machine is not properly shown. Instead another DC ...
- 123
4
votes
5
answers
6k
views
How can root start a process that only root can kill?
It is easy to start a process at background or make it as systemd service.
However, if I want to start a process that monitors activities on the Linux machine, it fells to the target of attacks. If ...
- 568
0
votes
1
answer
77
views
daemonized alternative to tcpdump to save mirrored traffic
I need to save mirrored traffic for audit purposes. Traffic for audited server is send to other server. I need to capture that traffic on dedicated interface, save it to pcap files of reasonable scope ...
- 306
0
votes
2
answers
2k
views
How log commands executed by user
First at all, I have working some years with snoopy and it's not what I need, also checking history file isn't a solution for me.
I have to give ROOT access to a developer to install a program on the ...
- 1
2
votes
1
answer
4k
views
CentOS doesn't boot with "A stop job is running for Security Auditing Service" message
CentOS prints the following during boot
[ *** ] A stop job is running for Security Auditing Service (9s / 1min 30s)
and then switches into the single user mode.
- 193
1
vote
0
answers
267
views
Monitoring IPv6 connection via auditd
some time i was interested in monitoring TCP/UDP connections with detailed information about process that initiated connection
I'have found helpful article about that - Finding short-lived TCP ...
- 11
3
votes
0
answers
216
views
Why are docker permission errors not logged by selinux?
If you try to bind mount a directory into a container under Red Hat you might have problems with selinux. The directory will be unreadable from inside the container. Unless you add a z/Z volume option....
- 2,328
3
votes
0
answers
396
views
Configuring Solaris audit to include username into his events
Need to configure audit logging in Solaris but I have a problem. There are two SunOS servers which were configured before. When I started analysing logs I found out that in Solaris 10 I can see the ...
- 31
1
vote
0
answers
217
views
What makes a selinux-caused EACCESS to not be logged in audit
I've got a system with samba running with standard targetted policy for Fedora.
At some point samba is trying to access a directory tagged unconfined_u:object_r:unlabeled_t:s0 and fails. Through ...
- 1,176
0
votes
1
answer
29
views
Identifying user activity/processes from log message on remote machine - 10.0.0.2 - user A, using service account B trying to connect to 10.0.0.3
I just inherited an older Linux server. I am getting asked to identify and stop a process initiated by a user. How can I go about identifying what process a user is executing that matches the logs ...
- 1
1
vote
1
answer
292
views
Detecting Windows Physical Console Logon
I'm trying to find a way to detect a logon where someone is physically at the machine. I know you can do it with Type 2 but the issue is that events get logged when services make a logon request such ...
- 3,941
0
votes
1
answer
164
views
How long should accounts be deactivated before being deleted?
How long should accounts be deactivated before being deleted? Should accounts be deactivated?
For example, our organization uses 1Password Business, which allows for accounts to be deactivated. How ...
0
votes
0
answers
650
views
Windows Server 2019 - Audit which human-user who restart a service
Trying to audit which AD-user who actually restart a service on a particular service.
The service (MyService) is using a serviceaccount to run and get access to different resources.
I want to audit ...
- 21
0
votes
0
answers
1k
views
pam_tty_audit collect only TTY events
I'm trying to put together a TTY logging feature under Ubuntu 18.04 server and created /etc/pam.d/tty-audit with the following content:
session required pam_tty_audit.so enable=*
and added that ...
- 3
2
votes
1
answer
225
views
Linux audit files(data=)
type=TTY msg=audit(08/12/2020 02:33:30.163:107) : tty pid=2709 uid=e4ws5 auid=root ses=1 major=4 minor=1 comm=sh data="/bin/bash -i",<nl>
Can anyone tell me how in this audit.log there ...
- 23
0
votes
1
answer
195
views
How to enable file auditing for exchange server V15 folder
So I want to enable auditing on this specific folder V15 located under program files>Microsoft>Exchange server
But on the auditing tab I get a Message "you must be an administrator or have ...
- 37
0
votes
0
answers
73
views
Logging SSH commands on Linux - is custom kernel the only way?
I've done some research and it looks like that the way linux keeps history is less about security and audit and more about helping the user.
Even after making changes to instantly log the command and ...
- 3,941
1
vote
1
answer
2k
views
RHEL: Splitting auditd logs into multiple files for different rules
We have an audit.rules defined and things in rules.d. Many of these are for RHEL CIS compliance and others are more specific for Docker CIS compliance.
One problem we are having is that certain rules ...
- 151
0
votes
1
answer
3k
views
Logging all failed authentication attempts against Active Directory
I need to log all failed authentication attempts against my Active Directory domain. An external app binds to MS AD via LDAPS and uses AD for user authentication requests.
When the wrong user or ...
- 71
2
votes
1
answer
1k
views
Comparing two Linux servers for any differences [closed]
I tried to find a similar post, but couldn't. Apologies if this is a duplicate.
We have a number of RHEL6 servers hosting different applications. Over time, these servers have had some tweaks to ...
- 121
1
vote
1
answer
975
views
Auditd not sending to remote central server
I'm setting up a central server using rsyslog and auditd on CentOS 8. I was following this guide on how to send remote audit logs to my central server.
Note: instead of going to /etc/audisp/, these
...
- 13
1
vote
1
answer
2k
views
how to audit a reboot?
Quick and simple question: How to I use auditd to log a system reboot?
I tried using the reboot syscall to no avail. I could imagine that the audit daemon is stopped before the actual syscall is made.
...
- 11
0
votes
3
answers
5k
views
Security Log Event ID 4625 - An account failed to log on every few minutes - random source IP addresses
A fairly new MS Windows Server 2019 VM installation is logging over a hundred Security Log Audit Failures a day with Event ID 4625.
RDP for the server is enabled only for a single trusted WAN source ...
- 11