How can `auditd` log in `/var/log/audit/audit.log` even `auditctl -l` is empty?Auditing changes to the audit...
Should I take out a loan for a friend to invest on my behalf?
Making a sword in the stone, in a medieval world without magic
Am I not good enough for you?
BitNot does not flip bits in the way I expected
Does splitting a potentially monolithic application into several smaller ones help prevent bugs?
Logic. Truth of a negation
How do I express some one as a black person?
MTG: Can I kill an opponent in response to lethal activated abilities, and not take the damage?
What does a stand alone "T" index value do?
Can you reject a postdoc offer after the PI has paid a large sum for flights/accommodation for your visit?
Should I tell my boss the work he did was worthless
Solving "Resistance between two nodes on a grid" problem in Mathematica
Force user to remove USB token
Why would a jet engine that runs at temps excess of 2000°C burn when it crashes?
The bar has been raised
Space in array system equations
How do you like my writing?
Why does the negative sign arise in this thermodynamic relation?
What does the “word origin” mean?
Things to avoid when using voltage regulators?
Is "history" a male-biased word ("his+story")?
Fourth person (in Slavey language)
What wound would be of little consequence to a biped but terrible for a quadruped?
How are such low op-amp input currents possible?
How can `auditd` log in `/var/log/audit/audit.log` even `auditctl -l` is empty?
Auditing changes to the audit loglog bash command centralized server or any auditd saasAuditd multi-line log formatSELinux - FCGID program being blocked and no log on /var/log/audit/audit.logauditd doesn't log chmod at allHow to prevent logging USER_AUTH and USER_LOGIN events with auditdWhy does auditd only log `echo` when I use the absolute path?Can auditd log events from an specific executable?View auditd logs in journalctlAuditd - log all ssh sessions
My server is centos7.6
[root@localhost /]# auditctl -l
No rules
[root@localhost /]# cat /var/log/audit/audit.log
type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1552434501.570:25861): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SYSCALL msg=audit(1552434501.574:25862): arch=c000003e syscall=2 success=yes exit=3 a0=7fd2239664d2 a1=80000 a2=1b6 a3=24 items=1 ppid=20513 pid=12659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3578 comm="crond" exe="/usr/sbin/crond" key="passwd_changes"
type=CWD msg=audit(1552434501.574:25862): cwd="/"
type=PATH msg=audit(1552434501.574:25862): item=0 name="/etc/passwd" inode=1573099 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1552434501.574:25862): proctitle=2F7573722F7362696E2F63727F6E64002D6E
type=USER_END msg=audit(1552434501.574:25863): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
The problem is I never passwd_changes recently.what's the meaning of comm="crond" exe="/usr/sbin/crond" key="passwd_changes"?
centos7 auditd
asked 5 mins ago
kittygirlkittygirl
2669
add a comment |
My server is centos7.6
[root@localhost /]# auditctl -l
No rules
[root@localhost /]# cat /var/log/audit/audit.log
type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1552434501.570:25861): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SYSCALL msg=audit(1552434501.574:25862): arch=c000003e syscall=2 success=yes exit=3 a0=7fd2239664d2 a1=80000 a2=1b6 a3=24 items=1 ppid=20513 pid=12659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3578 comm="crond" exe="/usr/sbin/crond" key="passwd_changes"
type=CWD msg=audit(1552434501.574:25862): cwd="/"
type=PATH msg=audit(1552434501.574:25862): item=0 name="/etc/passwd" inode=1573099 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1552434501.574:25862): proctitle=2F7573722F7362696E2F63727F6E64002D6E
type=USER_END msg=audit(1552434501.574:25863): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
The problem is I never passwd_changes recently.what's the meaning of comm="crond" exe="/usr/sbin/crond" key="passwd_changes"?
centos7 auditd
asked 5 mins ago
kittygirlkittygirl
2669
add a comment |
My server is centos7.6
[root@localhost /]# auditctl -l
No rules
[root@localhost /]# cat /var/log/audit/audit.log
type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1552434501.570:25861): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SYSCALL msg=audit(1552434501.574:25862): arch=c000003e syscall=2 success=yes exit=3 a0=7fd2239664d2 a1=80000 a2=1b6 a3=24 items=1 ppid=20513 pid=12659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3578 comm="crond" exe="/usr/sbin/crond" key="passwd_changes"
type=CWD msg=audit(1552434501.574:25862): cwd="/"
type=PATH msg=audit(1552434501.574:25862): item=0 name="/etc/passwd" inode=1573099 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1552434501.574:25862): proctitle=2F7573722F7362696E2F63727F6E64002D6E
type=USER_END msg=audit(1552434501.574:25863): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
The problem is I never passwd_changes recently.what's the meaning of comm="crond" exe="/usr/sbin/crond" key="passwd_changes"?
centos7 auditd
asked 5 mins ago
kittygirlkittygirl
2669
My server is centos7.6
[root@localhost /]# auditctl -l
No rules
[root@localhost /]# cat /var/log/audit/audit.log
type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1552434501.570:25861): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SYSCALL msg=audit(1552434501.574:25862): arch=c000003e syscall=2 success=yes exit=3 a0=7fd2239664d2 a1=80000 a2=1b6 a3=24 items=1 ppid=20513 pid=12659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3578 comm="crond" exe="/usr/sbin/crond" key="passwd_changes"
type=CWD msg=audit(1552434501.574:25862): cwd="/"
type=PATH msg=audit(1552434501.574:25862): item=0 name="/etc/passwd" inode=1573099 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1552434501.574:25862): proctitle=2F7573722F7362696E2F63727F6E64002D6E
type=USER_END msg=audit(1552434501.574:25863): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
The problem is I never passwd_changes recently.what's the meaning of comm="crond" exe="/usr/sbin/crond" key="passwd_changes"?
centos7 auditd
centos7 auditd
asked 5 mins ago
kittygirlkittygirl
2669
asked 5 mins ago
kittygirlkittygirl
2669
asked 5 mins ago
kittygirlkittygirl
2669
asked 5 mins ago
kittygirlkittygirl
2669
asked 5 mins ago
kittygirlkittygirl
2669
2669
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958005%2fhow-can-auditd-log-in-var-log-audit-audit-log-even-auditctl-l-is-empty%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958005%2fhow-can-auditd-log-in-var-log-audit-audit-log-even-auditctl-l-is-empty%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
