In various linux servers I see how the permissions of the /etc/resolv.conf file change automatically. In state normal: -r–r–r– 1 root root 103 Jul 4 11:50 resolv.conf In changed state: -r–r—– 1 root root 103 Jul 4 11:50 resolv.conf I installed auditd for monitoring it, and these are the two entries between the change: type=PATH … Read more
I’d like to receive an immediate alert every time something reads the contents of my private key on Debian Linux. How can I do that? I have an RSA private key stored on my server’s disk at the following location: /etc/ssl/private/super-secret.key It’s only readable by root, but I still want to have a log of … Read more
I’ve been looking for this for about 3 days now and have come up empty-handed. I am looking for a way to build a threat alert for Linux-based credential dumping in Splunk. To do this I need to be able to monitor the /proc directory. I found audit and auditd (audit deamon) but I don’t … Read more
I tried to log the commands issued by the system administrators in our organization and its output using sudo plus the log_output directive as follows on the visudo file Defaults env_reset Defaults secure_path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin” Defaults:%sudo log_output … root ALL=(ALL) ALL … %sudo ALL=(ALL) ALL This does exactly what it is requested but it has a big … Read more
I have a Joomla based website running on CentOS, Apache, PHP, MySQL. I am using plupload file uploader to upload the files. I’m uploading the files to /tmp/uploads directory where they are processed and then moved. For some reason and for the life of me I can’t figure out – the /tmp/uploads directory keeps getting … Read more
How to log changes made in a particular file using syslog-ng. The log must contain the timestamp, hostname, user who modified the file and action performed. Is there any option other than audit in Linux, as audit generates more data in the log. Can the same be done in windows as whenever a user modifies … Read more
This is a very strange question and I don’t even know how to Google for it, so I’m posting here to see if anyone has encountered this sort of situation before. I have multiple Ubuntu 14.04 systems running in AWS EC2. We have several VPCs dedicated to different purposes — prod/qa/dev/etc I’m running puppet, with … Read more
I want to ship off logs into centralized logging (ELK). Because of the way things are, I need to do the processing on the machine that creates the logs. How can I get each new auditd event to automatically be processed by ausearch and written to another file? Answer Simplest (but batch orientated): Use the … Read more
My audit.log file is full of information that i font need (and want to disable) A lot of log lines like: type=SYSCALL msg=audit(1467201475.671:36911834): arch=c000003e syscall=2 success=yes exit=49 a0=7f770ed9f318 a1=0 a2=0 a3=7f7712c00000 items=1 ppid=1 pid=1823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=”splunkd” exe=”/opt/splunkforwarder/bin/splunkd” key=”audit-logs” I know i need to delete some … Read more
I’m using auditd to audit a folder, /shared, for read, write, attribute changes and deletions. I have installed auditd and configured the following rules: -a exit,always -S unlink -S rmdir -a exit,always -F path=/shared If I run a manual report using ausearch ausearch -f /shared I can see what I’m expecting, if the actions are … Read more
