The auditd system on an Oracle 8.10 linux system is configured to start the audisp-syslog plugin to send audit events to syslog (rsyslog in this case) for onward processing. The following is the syslog.conf file in /etc/audit/plugins.d/ active = yes direction = out path = /sbin/audisp-syslog type = always args = LOG_LOCAL6 LOG_INFO format = string The process is started but no audit events are logged to syslog. If I kill the audisp-syslog process that is started by the auditd subsystem on startup and restart it as follows: kill -9 /sbin/audisp-syslog LOG_LOCAL6 LOG_INFO It now works fine. I found this bug on bugzilla for redhat https://bugzilla.redhat.com/show_bug.cgi?id=1794666 but it is closed. I tried the fix mentioned by the original poster, to create the syslog.conf file but that did not work. Has anyone else come across this?

While I was playing a little with kernel audit system, I made a small C program:

#include 
#include 

int main(int argc, char** argv){
        void *t;
        while(1){
                t = malloc(1);
                free(t);

        }
        return 0;
}

And applied the following filters to audit:

-a always,exit -F arch=b32 -S open,openat -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=access
-a always,exit -F arch=b32 -S brk
-a always,exit -F arch=b64 -S brk

` After compiling and running, I noticed that sys_brk wasn't showing up in the audit log. Furthermore it didn't also appear in strace, even tho malloc was called (checked with ltrace). Lastly I removed the free and the calls to sys_brk started showing up. What is causing this type of behaviour? Does glibc make some kind of optimization in malloc and free functions to prevent useless syscalls? TL;DR: free followed by malloc makes neither call the kernel. Why?

I am trying to find app/activity on a server for failed connection to external mysql host. For that I decided to use auditctl. I'm running the following command: [nir]$ sudo auditctl -A exit,always -F arch=b64 -S connect [nir]$ sudo auditctl -l | grep -i 'arch' -a always,exit -F arch=b64 -S connect [nir]$ sudo ls -l -h /var/log/audit/audit.log -rw------- 1 root root 6.2M May 1 2020 /var/log/audit/audit.log [nir]$ sudo auditctl -m 'hey, are you working at all?' [nir]$ sudo ls -l -h /var/log/audit/audit.log -rw------- 1 root root 6.2M May 1 2020 /var/log/audit/audit.log [nir]$ service auditd status Redirecting to /bin/systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-12-15 20:24:05 UTC; 1 years 2 months ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Main PID: 1898 (auditd) Tasks: 2 Memory: 140.0K CGroup: /system.slice/auditd.service └─1898 /sbin/auditd Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. But the log file /var/log/audit/audit.log does not get updated at all. I'm using aws ec2 server. Any suggestions?

For RHEL-8.10 in /etc/auditd/rules.d/audit.rules I would like to exclude /home/*/.cache/mozilla. The system has 100+ users in /etc/passwd so I do not want to do 100+ audit rule lines with a -a exit,never -F dir=/home//.cache/mozilla/. Is there a way to do a wildcard such as * for `` or some way to exclude such a directory? The rule I have which is -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete is flooding in a certain scenario and the unique thing I would like to key off of to stop the flood is exclude the .cache/mozilla/ folder in any user's home folder.

i am using > /etc/audit/rules.d/*.rules files to generate the > /etc/audit/audit.rules which has 120 lines. But if i run > auditctl -l i get only 14 lines as a result though. Why is this happening ?

**Problem:** I'm facing an issue where SELinux is blocking certain actions of my application, which runs as a plugin for auditd. I've been trying to generate the necessary SELinux policy using audit2allow, but some actions still aren't resolved. Even after enabling ghost denial logs, the problem persists. I want to run my application without setting SELinux or auditd to permissive mode, as I need to maintain security features. **Steps taken so far:** 1. Generated custom SELinux policies using audit2allow based on the logs. 2. Enabled ghost denials to capture more detailed logs. 3. Tried running the application while SELinux is in enforcing mode, but some actions are still blocked. **What I'm looking for:** Are there any alternative approaches or best practices to allow my application to run smoothly without disabling SELinux or switching to permissive mode? Any insights or suggestions would be greatly appreciated!

While looking at the traffic on Wireshark, I noticed my computer was sending a UDP packet every three seconds on the broadcast address to the port 8765, with the content "*" (42 in ASCII). It doesn't seem to be a response to anything. The source port changes every packet. I tried to nail down what was emitting this packet to no avail. I tried: * Stopping all of the non-vital services I could think of. * Add an iptables rule to drop the packets (this stop the packets, but doesn't help me knowing what emits them). * Add an iptables rule to stop forwarding to see if somehow it was forwarded by my computer, but no. * Use auditd with various parameters, but nothing matched and I couldn't even find a write(*,*,1)/send(*,*,1)/sendto(*,*,1,*,*)/sendmsg/sendmmsg with the right frequency. I am however not familiar with auditd. * auditctl -a exit,always -F arch=b64 -S socket -F a0=2 -F a1=2 to search for creation of IPv4 UDP sockets. * auditctl -a exit,always -F arch=b64 -S connect just to look for any connections. * auditctl -a exit,always -F arch=b64 -S write -S send -S sendto -F a2=1 to match send and write syscalls with length of 1. * audictl -a exit,always -F arch=b64 -S sendmsg -S sendmmsg * All of the above with -F arch=b32 instead. * Use netstat/ss but the socket is probably very short lived so it doesn't show anything. What are other ways to pin down what transmit this packet? What if it comes from the kernel or a kernel module? How could I know?

I have a script executed by a Java app with testmod_t context. This script does

chage -M -1 user

to set a user to no expiry. However, when SELinux is enforcing, the command does not seem to do anything and the following appears in the audit log.

type=USER_MGMT msg=audit(1719390859.006:1359): pid=4342 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:testmod_t:s0 msg='op=change-age acct="" exe="/usr/bin/chage" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

When SELinux is permissive, the chage command does work correctly and the following appears in the audit log:

type=USER_MGMT msg=audit(1719219933.759:2056): pid=8851 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:testmod_t:s0 msg='op=change-max-age id=1018 exe="/usr/bin/chage" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" ID="user"

There is no "denied" message in the audit log. When I tried

-shell
cat /var/log/audit/audit.log | audit2allow -M testmod

it also prints "nothing to do". Is there anything else I could do to find out why is SELinux affecting my script?

**EDIT** This may be the result of an [issue with the Arch package](https://gitlab.archlinux.org/archlinux/packaging/packages/audit/-/issues/2) . --- I am learning to use the linux audit system. Right now I have several rulesets in the /etc/audit/rules.d directory. When I run

augenrules
auditctl -R /etc/audit/audit.rules

I get the message:

There was an error in line 5 of /etc/audit/audit.rules

However I do not know how to determine what that error is. Is it even possible for auditctl to report why it thinks there is an error?

The man page is not clear: > For best performance, you should supply an arch field in the rule. The individual permissions will cause the selection of specific system calls that use that kind of access. Not supplying the arch will cause the selection of all system calls which will affect performance as all system calls will be evaluated. However I **want** to capture both 32-bit and 64-bit system calls. I would rather not write two identical rules with -F arch=b32 and -F arch=b64 as this leads to twice as many opportunities to forget an audit rule. A link to the source code where this option is evaluated would be ideal, but of course all answers are helpful.

I see these 4 exit, always, exclude, and never commonly used in many different combinations like below: -a exit,always -a exit,never -a exclude,always -a exclude,never I'm trying to understand what each one means and how the positioning of them work. I've read the manual but still am at odds on the technical side. Does it matter the placement of the words at all?

Im trying to monitor the start and stop of processes on a server with auditd, using the following rule

-w /usr/bin/ -p x -k T1569.002

` However, when raising an event to generate the log and searching it with ausearch, the only log it finds is the addition of the rule.

I have Amazon Linux 2023 running in a Docker container and I would like to be able to load some custom audit rules into the kernel and ensure they are persisted when the container restarts. I have added the rules to /etc/audit/rules.d/audit.rules and can see them when I cat that file and I'm trying to use augenrules --load to load the rules. However, when I run this command the output I get is

/usr/sbin/augenrules: No change
You must be root to run this program.

I receive this same response even when running the command with sudo (sudo augenrules --load). I am already logged in as root (whoami returns root). I wondered whether it could be be because auditd service is not started (in which case the output from augenrules is misleading) but I am unable to check that status of this service as service auditd status (and any other service command like service auditd start) command gives me

Redirecting to /bin/systemctl status auditd.service
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

ps -p1 indicates the PID 1 is bash

PID TTY          TIME CMD
    1 pts/0    00:00:00 bash

I assume this is because I'm running in a container but don't know if this is why augenrules refuses to run when I am the root user even when using using sudo. What is causing this behaviour?

OS sles 15, audit service enabled When I issue any command (for example, date or ls), I expect it to be logged in audit.log, something like this: type=SYSCALL msg=audit... type=EXECVE msg=audit(1718094805.867:24632): argc=1 a0="date" ... but these entries are not in audit.log There are other entries there, for example about the start/finish of sessions, but there are no commands called.

SELinux does not allow auditd to start the process (named myplagin) and does not log the reason in the /var/log/audit/audit.log. The only mention of the denial I found in the /var/log/messages: Centos8 auditd: Unable to stat /home/cust/myplagin (Permission denied), but I would like to see an audit.log-style denial (type=AVC msg=audit(1705309402.866:1150): avc: denied) to understand what new rules need to be added to the policy. If you switch SELinux to the Permissive mode, myplagin starts without problems

I have a RHEL server in which I have configured an audit rule to log a specific event. I wanted to forward those logs to a remote syslog server. I couldn't find a way to forward those specific logs so I configured forwarding for all audit logs to remote server due to which /var/log in the remote syslog server is getting full frequently. I have 2 ways to fix this problem but I cannot find a technical solution for either. 1. Log the events of that specific rule to a separate log file or if possible, directly to the remote syslog server 2. Forward the audit logs generated by that specific rule only to remote syslog server Any other solution is much appreciated.

I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is with me having the only user account on the system, me being the only person logged in, and doing a cp -rp /data/* /backup/. FWIW I am logged in on the backup server (server-B) with /data NFS mounted (from server-A) on it when I am doing the cp -rp. The /data folder has greater than 50TB of data. The file system is XFS_4.0 from RHEL 7.9 on /data and XFS_5.0 from RHEL 8.8 on /backup; both server A & B are running RHEL 8.8. Is there a linux [audit] tool that can parse out the most common entries in audit.log ? And, based on description above if a reason and solution could be provided that would be cool too. # /etc/audit/rules.d/audit.rules ## First rule - delete all -D -e 2 ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 --loginuid-immutable ## Set failure mode to syslog -f 1 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/sudoers -p wa -k identity -w /etc/sudoers.d/ -p wa -k identity -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules -w /var/log/lastlog -p wa -k logins -w /var/log/faillock -p wa -k logins

Want to set either a **weekly** or **monthly** saving of the real-time /var/log/audit/audit.log file to a compressed file having the name such as audit_2020-05-05.log.gz In **RHEL/CentOS 7.x** is there an **elegant** way to make the following happen all within existing audit **.conf** files ? Otherwise is the *best* way to simply do a root crontab that will run a homegrown bash shell script that will... - service auditd stop - cp /var/log/audit/audit.log /var/log/audit/audit_.log - service auditd start - gzip -9 /var/log/audit/audit_.log I would prefer to make the above happen by doing it within the confines of the /etc/audit/ files if that is possible which is why I am asking. But I strongly want audit_.log.gz files to come about every week/month with that specific file naming convention. The ultimate goal is a reliable and robust way of managing the created audit log archives... keeping any one saved audit log text file to be less than 1GB in size uncompressed so adjusting the log saving/rotation accordingly. But also to not lose any audit log or bring the system to single user mode based on audit.conf settings. So any *better* way than what I am currently thinking I would be happy to hear about.

I'm running auditd with a bunch of rules for PCI-DSS, but i have some anomalies. cat audit.log | grep type | grep AVC returns a bunch of entries like type=AVC msg=audit(1567154215.586:353): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.core" pid=22810 comm="apparmor_parser" but when running ausearch -m AVC -if audit.log it doesn't return any entries. Is there something i'm missing ( or has been replaced )? Also there's a rule for sudo -w /usr/bin/sudo -p x -k priv_esc but whenever i sudo to root, there isn't a corresponding entry in the audit logs. Is there something wrong with my setup?

I want to monitor access to a file using audit, and hence added the following rule -w /home/test.txt -k monitoring-test I reloaded the rules (sudo service auditd restart) and modified the file /home/test.txt, however, the log does not create any events with that key: sudo ausearch -k monitoring-test returns only the event of adding the rule: time->Fri May 5 13:32:19 2023 type=CONFIG_CHANGE msg=audit(1682311231.581:1719): auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=add_rule key="monitoring-test" list=4 res=1 Strangely, when adding a network monitoring rule like > -a always,exit -F arch=b64 -S accept,connect -F key=network-external-access I do get log messages with the corresponding key. I read multiple posts like this tutorial or that redhat post but none of their solution fixes my problem. Does anyone see why I do not get any logs for editing the file? The Kernel has the following flags, obtained by > sudo grep CONFIG_AUDIT /boot/config-uname -r CONFIG_AUDIT=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_ARCH=y Is it a problem that CONFIG_AUDIT_WATCH=y is missing, which is present in the answer here ? ---------- For the record, my /etc/audit/audit.rules is (after adding the above file monitor rule permanently): ## This file is automatically generated from /etc/audit/rules.d -D -a task,never -w /home/test.txt -k monitoring-test And sudo auditctl -l returns -a never,task -w /home/test.txt -p rwxa -k monitoring-test My operating system is Fedora, and the audit version is 3.1-2.