Questions tagged [audit]
Observing/logging a resource for purposes of: - Adding it to a blacklist of whitelist - Keeping tabs on the security of a system
326
questions
69
votes
8
answers
15k
views
A previous IT worker probably left some backdoors. How can I eliminate them? [duplicate]
I started working for a company that fired a previous IT worker for leaking data.
I can only say the following things:
We use a Firebird DB with an application written by another company, Proxmox, ...
51
votes
4
answers
3k
views
Linux: set up for remote sysadmin
Every now and then I get the odd request to provide remote support, troubleshooting and/or performance tuning on Linux systems.
Larger companies often already have well established procedures to ...
39
votes
10
answers
56k
views
How do I know if my Linux server has been hacked?
What are the tell-tale signs that a Linux server has been hacked? Are there any tools that can generate and email an audit report on a scheduled basis?
34
votes
2
answers
99k
views
How can I list MACs, Ciphers and KexAlogrithms supported by my ssh server?
How can I determine the supported MACs, Ciphers, Key length and KexAlogrithms supported by my ssh servers?
I need to create a list for an external security audit. I'm looking for something similar to ...
22
votes
10
answers
8k
views
How to track superuser activities
I'd like to know what are the best approaches for tracking superuser activities on a Linux environment.
Specifically, I'm looking for these features:
A) Logging keystrokes to a secured syslog server
...
20
votes
7
answers
38k
views
Cygwin SSHd Autoblock Failed Logins
I'm running Cygwin with an SSH deamon on a Windows Server 2008 machine. I was looking at the Event Viewer and noticed as much as 5 to 6 failed login attempts per second (brute force) for the last week ...
17
votes
5
answers
4k
views
Git commit auditing
I have a git server running over ssh and each user has a unix account on the system.
Given that two users have access to a repo, how can I be sure which user performed which commit, since the commit ...
16
votes
2
answers
160k
views
Event 4625 Audit Failure NULL SID failed network logons
In 3 separate systems, the following event is being logged many times (between 30 to 4,000 times a day depending on the system) on the domain controller server:
An account failed to log on.
Subject:
...
15
votes
3
answers
92k
views
Sending audit logs to SYSLOG server
I'm running several RHEL based systems which utilize the audit functionality within the 2.6 kernel to track user activity and I need to have these logs sent to centralized SYSLOG servers for ...
13
votes
2
answers
71k
views
Server locking up, /var/log/messages reports "backlog limit exceeded"
We have a CentOS OS that became unresponsive this morning to external network traffic. It is a virtual machine. I was able to reboot the VM. After logging back in, I found the following in the /var/...
12
votes
8
answers
3k
views
How do I inventory the type and speed of a remote computer?
I'm on a Windows 2003/2008 corporate network with 100 users. I've been tasked with increasing the RAM on all end-user workstations.
The problem is we have a mixture of different computers in our ...
12
votes
7
answers
7k
views
How do you document/track your permissions
I'm a Windows Admin so those that integrate with Windows will likely be most helpful. My main challenge at this point is just with file shares but as SharePoint use increases it will only make this ...
11
votes
4
answers
20k
views
How can I audit a file to see who deleted it?
On one of our servers we have a file that keeps mysteriously getting deleted. What I'd like to do is have a program watch this file and let me know when/how/by whom it gets deleted. We have a backup ...
9
votes
4
answers
13k
views
File audit in Linux: how to watch directory tree for deletions?
I have a forum script running on server and somehow small number of attachments begin to get lost. I want to find out what is deleting them and at what time. How can I setup Linux auditd (auditctl) to ...
7
votes
5
answers
6k
views
Security when SSH private keys are lost
User A has two SSH private keys, and over time has used this public key on a number of servers
He lost one of them, and has created a new pair.
How does User A inform me (the sysadmin), that he has ...
6
votes
3
answers
5k
views
Is it possible to audit the Amazon AWS console?
We had a situation recently where an elastic IP address assigned to a production server mysteriously became disassociated from that server. We have had this same thing happen in the past to other (...
6
votes
4
answers
457
views
Penetration Testing - Trust and Hiring
When you hire someone/business to come in how can you be sure they won't have a rogue employee who will backdoor your systems? Is there a way you can trust anyone? How do big corporations do it? Seems ...
6
votes
2
answers
1k
views
What does a standard tech audit include and what is a reasonable price for it? [closed]
I am a programmer, but the company I am working for has been growing and has outgrown the 2 man IT contractor team that has been servicing us.
We are looking into several different solutions for our ...
6
votes
3
answers
6k
views
Auditctl - filtering out cron messages
Im using auditctl and get a lot of logging events for crond. I do not wish to log any cron/crond events.
node=127.0.0.1 type=CRED_DISP msg=audit(1405678801.149:5571): user pid=1757 uid=0 auid=0 ...
6
votes
1
answer
5k
views
How to determine new file name from audit log on renaming?
[Windows 2008 R2 File System audit]
When I delete the file, two event log audit messages appear: 4663 which means request for file deletion and 4660 which confirms the deletion. Thay can be joined by ...
6
votes
1
answer
14k
views
What's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in `auditctl`?
My server is centos7.6 with auditd 2.8.5
In audit rule, I set:
-a always,exit -F arch=b32 -S adjtimex,settimeofday -F key=time-change
But this rule also record normal ntpd activities,then I tried ...
5
votes
5
answers
9k
views
How to find out what files an installer (rpm, deb) created?
I need to find out all the file system modifications an installer did. Most likely the installed package is an rpm or deb, but an app could of course be simply copied over or compiled and installed ...
5
votes
6
answers
3k
views
There is any Windows logger tool which would track file manipulation?
I want to be able to know who and when touched a file. My last question showed that I can't rely on NTFS.
5
votes
2
answers
59k
views
How to detect Windows Server 2003/2008 Release (R1 or R2) programatically?
I can easily pickup whether a server is Win2k3, 2k8, standard edition, enterprise edition, x86, x64, but I cannot find a way of determining if it's Release 1 or 2. HP Systems Insight Manager somehow ...
5
votes
5
answers
2k
views
VMware ESX Auditing
I'm looking to generate an excel spreadsheet with various information about each one of my company's ~140 VMs residing on 7 ESX 3.5 servers - specifically, the VM's:
Name
Allocated Memory, Processors,...
5
votes
2
answers
800
views
How do I audit network connections that exceed a certain amount of traffic or bandwidth on Linux?
I've looking after some Debian boxes and occasionally I see a big spike in the network traffic. I'm graphing metrics with graphite (being fed by a sensu check which gathers per-interface metrics every ...
5
votes
4
answers
981
views
Audit files on a Debian box
Is it possible to list every file on the system that does not belong to a package? or if they have been modified?
Might need to use something like: apt-get, apt-files, dpkg-query, etc
For context, ...
5
votes
2
answers
14k
views
SELinux: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3"
I have problem with SELinux. setroubleshoot suggested to enable mypol.pp with semodule -i mypol.pp so apache could run.
after I run the suggested command, I'm keep getting:
type=AVC msg=audit(...
5
votes
2
answers
13k
views
Unable to start auditd
I am on CentOS 5.8 final
I recently installed auditd via yum install audit however I am unable to start it.
I edited the configuration file to give a verbose output of the error it is recieving in ...
5
votes
4
answers
3k
views
How do I audit changes made to our servers, routers, etc.?
We have a lot of servers (running Windows and Ubuntu) along with a mix of Cisco and Juniper routers with a side of HP Procurve switches. We have a few sysadmins who like to make changes to configs ...
5
votes
1
answer
330
views
Exchange security monitoring tools [closed]
I am trying to identify tools that can perform security monitoring of Exchange. Ideally, the tools should be able to pick up things like:
permission changes for high risk mailboxes
multiple ...
5
votes
2
answers
2k
views
Is it worth running nessus as well as OpenVAS?
Apparently OpenVAS originated as a fork of Nessus. It is very easy to install and use OpenVAS because it's, well, open. However, am I kidding myself if I just use that instead of Nessus? Should I ...
4
votes
5
answers
6k
views
How can root start a process that only root can kill?
It is easy to start a process at background or make it as systemd service.
However, if I want to start a process that monitors activities on the Linux machine, it fells to the target of attacks. If ...
4
votes
4
answers
17k
views
How to parse audit.log using logstash
I want to use logstash to collect a log file, and the format of the file was like this:
type=USER_START msg=audit(1404170401.294:157): user pid=29228 uid=0 auid=0 ses=7972 subj=system_u:system_r:...
4
votes
2
answers
229
views
Any tips for planning a (self-inflicted) software audit? [closed]
How do you check that the software at your site is licensed? Have you come up with any tips to minimize effort?
4
votes
1
answer
12k
views
Check whether GRANT EXECUTE TO user or role was applied
In Microsoft SQL Server, I can use
GRANT EXECUTE TO <principal>
to grant execute permission to some user or role. I'm interested in detection:
How can I equally simply check whether that ...
4
votes
1
answer
5k
views
How can I set audit controls on files owned by TrustedInstaller using Powershell?
I am trying to set audit controls on a number of files (listed in ACLsWin.txt) located in \%Windows%\System32 (for example, aaclient.dll) using the following Powershell script:
$FileList = Get-...
4
votes
2
answers
279
views
Is there any viable alternative to using Oracle Auditing
I am currently tasked with developing a action plan for monitoring DB activity, encompassing general actions (failed logons etc) with some finer grained monitoring(e.g. who selected from table x, what ...
4
votes
7
answers
293
views
Is it possible to retrieve system, software and license information from a fleet of Windows computers?
I would like to know the hardware and software information for a fleet of Windows PCs. That includes licenses that software is registered with. I would like the information to be in a simple text file....
4
votes
1
answer
1k
views
Survive a Software Audit
I received a letter from Autodesk asking for a "License Assessment". I understand it as a software audit. They plan to do it remotely.
The thing is, I'm a freelancer, I don't use any Software Asset ...
4
votes
2
answers
497
views
Is there a Windows Event character count limitation?
I'm working on output analysis of the Windows Event ID 5136 ("A directory service object was modified") and more specifically events with "LDAP Display Name = nTSecurityDescriptor" (see following ...
4
votes
1
answer
229
views
Disable auditing of specific ldap attributes
I'm working on some auditing for PCI-DSS, notably "Audit Directory Service Access". This creates a huge volume of logs, mostly based on a couple specific recurring properties being accessed in the ...
4
votes
1
answer
787
views
How can I log the creation of Exchange 2003 and 2010 mailboxes?
We are trying to acquire a new certificate/label. In order to get this certificate/label we need to monitor the creation of mailboxes in Microsoft Exchange.
We are currently using Microsoft ACS (...
4
votes
3
answers
10k
views
Tracking SQL Server 2008 Timeout Errors
we got some connections timeouts running a stored procedure in a SQL Server 2008 instance. after a while, the DB started to work as usual, and there weren't any additional timeout errors.
So I'm ...
4
votes
3
answers
601
views
Decommissioning: how to list clients/applications depending on my SQL Server?
I have a SQL box that I want to decommission. Before doing so, I want to understand all the applications that may be relying on the machine, rather than just turning it off and hearing people scream.
...
4
votes
1
answer
277
views
Investigate potential breach in Azure App Service
We suspect we have had a data breach, but we are not sure how to investigate it to determine the source of the breach or what data was sent.
We have an app service that has been running for a while ...
4
votes
2
answers
6k
views
How to log all commands run on Linux including their arguments (parameters)? [duplicate]
How can I log all commands executed on Linux, including their command-line arguments (parameters)?
So, for example, if someone runs:
rm -rf /tmp/foo
I would see a log entry similar to this:
2016-...
4
votes
1
answer
4k
views
Audit logs are not being generated on linux machine
Hi We are using four linux servers for on application. Application just simply generates reports using scripts... Now for three servers audit logs are being generated in /var/log/audit directory (as ...
4
votes
2
answers
1k
views
MySQL enabling the query log for the root user only
I want to an audit log for a particular user/connection and not the application itself. Anytime a client manually connects to the server with specific credentials, I want the query log, and binary ...
4
votes
0
answers
2k
views
Why does ausearch skip entries?
I am trying to use the ausearch tool search my auditd logs for specific entries.
The problem is that most of the entries in audit.log appear to be unsearchable. Searching with matching parameters ...