The ask We want to have the default /var/log/messages file in a different location on a different mount point. Is it possible with rsyslog? The Solution The default location of /var/log/messages file can be changed to any location of your choice. Follow the steps outlined below to change the default location to new location (/log_dir). […]
Archives for June 2018
How to use auditd to monitor a file deletion in Linux
So you have a situation where a certain file gets deleted frequently and you need to investigate who deletes the file. It can be a use or a system process which can delete a file. The auditd service can be a perfect tool to investigate such file deletion issues. The post outlines the steps to […]
Audit Rule Configuration not Reflected – How to troubleshoot
The problem We have added new audit rules to the configuration file /etc/audit/rules.d/audit.rules as shown below: # vi /etc/audit/rules.d/audit.rules -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -S clock_settime -k time-change -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale But, these configurations does not reflected. # auditctl -l No rules Note: […]
How to exclude a file/directory from auditd rules
auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system. One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power […]
How to configure interface in “Promiscuous Mode” in CentOS/RHEL
What is a promiscuous mode for a NIC? Promiscuous mode or promisc mode is a feature that makes the ethernet card pass all traffic it received to the kernel. It is usually used by a packet sniffing program like Wireshark, and tcpdump. If there was such program intentionally running or bridged networking for hardware virtualization, […]
Linux OS Service ‘irqbalance’
irqbalance is a Linux daemon that distributes interrupts over among the processors and cores in your computer system. The design goal of irqbalance is to do find a balance between power savings and optimal performance. To a large degree, the work irqbalance does is invisible to you. The daemon balances savings in power consumption with […]
How to Audit for Modifications to files and Executions of Files in Linux
Auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/rules.d/audit.rules are read by auditctl. The audit daemon itself has […]
How To Identify User Deleting Files From A Given Directory in Linux
Question How to find which user is deleting the files under a particular directory on Linux? Solution You can use the auditd service to record a notice when any change is made to a particular file or directory. Below is an example which will record any change made to any file under the /tmp/dir directory. […]
Unable To Remove Files From Directory with Error “Argument list too long”
The Problem While trying to list or interact with large number of files from command line it results with following error: $ ls -l *.xml | wc -l bash: /bin/ls: Argument list too long 0 $ rm *.xml bash: /bin/rm: Argument list too long or when trying to delete large number of files using find […]
How to disable write access to USB devices using “hdparm” tool
The hdparm Command hdparm provides a command line interface to various kernel interfaces supported by the Linux SATA/PATA/SAS ‘libata’ subsystem and the older IDE driver subsystem. It should also work with most USB drives as well since they appear as SATA devices to the kernel. The hdparm command is standard on most Linux distributions. You […]