How to log failure to start/stop a service?
Clash Royale CLAN TAG#URR8PPP
I want to track whether a normal user attempted to run a service.
The command for starting/stopping service is given as below:
service filebeat start
I wrote an auditd rule like below:
-w /usr/sbin/service -p warx -k service_attempt
For each time I start/stop the service, it is logging the tag (service_attempt), but the audit is not failing. Because of this I am not able to differentiate between a successfull attempt and an unsuccessful attempt to start/stop a service.
linux audit
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
migrated from security.stackexchange.com Mar 1 at 13:13
This question came from our site for information security professionals.
add a comment |
I want to track whether a normal user attempted to run a service.
The command for starting/stopping service is given as below:
service filebeat start
I wrote an auditd rule like below:
-w /usr/sbin/service -p warx -k service_attempt
For each time I start/stop the service, it is logging the tag (service_attempt), but the audit is not failing. Because of this I am not able to differentiate between a successfull attempt and an unsuccessful attempt to start/stop a service.
linux audit
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
migrated from security.stackexchange.com Mar 1 at 13:13
This question came from our site for information security professionals.
It seems like this isn't a Security Question and belongs more to a StackExchange that covers the administration of Linux Servern.
– Serverfrog
Mar 1 at 13:04
add a comment |
I want to track whether a normal user attempted to run a service.
The command for starting/stopping service is given as below:
service filebeat start
I wrote an auditd rule like below:
-w /usr/sbin/service -p warx -k service_attempt
For each time I start/stop the service, it is logging the tag (service_attempt), but the audit is not failing. Because of this I am not able to differentiate between a successfull attempt and an unsuccessful attempt to start/stop a service.
linux audit
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
I want to track whether a normal user attempted to run a service.
The command for starting/stopping service is given as below:
service filebeat start
I wrote an auditd rule like below:
-w /usr/sbin/service -p warx -k service_attempt
For each time I start/stop the service, it is logging the tag (service_attempt), but the audit is not failing. Because of this I am not able to differentiate between a successfull attempt and an unsuccessful attempt to start/stop a service.
linux audit
linux audit
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
asked Mar 1 at 13:00
Arun MohanArun Mohan
1111
1111
migrated from security.stackexchange.com Mar 1 at 13:13
This question came from our site for information security professionals.
migrated from security.stackexchange.com Mar 1 at 13:13
This question came from our site for information security professionals.
It seems like this isn't a Security Question and belongs more to a StackExchange that covers the administration of Linux Servern.
– Serverfrog
Mar 1 at 13:04
add a comment |
It seems like this isn't a Security Question and belongs more to a StackExchange that covers the administration of Linux Servern.
– Serverfrog
Mar 1 at 13:04
It seems like this isn't a Security Question and belongs more to a StackExchange that covers the administration of Linux Servern.
– Serverfrog
Mar 1 at 13:04
It seems like this isn't a Security Question and belongs more to a StackExchange that covers the administration of Linux Servern.
– Serverfrog
Mar 1 at 13:04
add a comment |
1 Answer
1
active
oldest
votes
I am a little confused by your question as /var/log/auth.log already logs denied service stop/start by users without permission.
If you want to only see the service related events and only FAILED attempts, you can run as
$sudo cat /var/log/auth.log | grep service | grep FAILED
Here is a sample output of a basicuser I just created without sudo, that then tried to run service alsa-state restart . The output tells you all that you may need to know, and I put the important parts (date, session, FAILED, service name, username) in bold
foot@BOOT:~# cat /var/log/auth.log | grep service | grep FAILED
Mar 1 21:13:24 BOOT polkitd(authority=local): Operator of
unix-session:6 FAILED to authenticate to gain authorization for
action org.freedesktop.systemd1.manage-units for
system-bus-name::1.255 [systemctl start alsa-state.service]
(owned by unix-user:basicuser)
The auth.log file will tell you all that you need to know regarding authorization failures including services and login attempts.
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503780%2fhow-to-log-failure-to-start-stop-a-service%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I am a little confused by your question as /var/log/auth.log already logs denied service stop/start by users without permission.
If you want to only see the service related events and only FAILED attempts, you can run as
$sudo cat /var/log/auth.log | grep service | grep FAILED
Here is a sample output of a basicuser I just created without sudo, that then tried to run service alsa-state restart . The output tells you all that you may need to know, and I put the important parts (date, session, FAILED, service name, username) in bold
foot@BOOT:~# cat /var/log/auth.log | grep service | grep FAILED
Mar 1 21:13:24 BOOT polkitd(authority=local): Operator of
unix-session:6 FAILED to authenticate to gain authorization for
action org.freedesktop.systemd1.manage-units for
system-bus-name::1.255 [systemctl start alsa-state.service]
(owned by unix-user:basicuser)
The auth.log file will tell you all that you need to know regarding authorization failures including services and login attempts.
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
add a comment |
I am a little confused by your question as /var/log/auth.log already logs denied service stop/start by users without permission.
If you want to only see the service related events and only FAILED attempts, you can run as
$sudo cat /var/log/auth.log | grep service | grep FAILED
Here is a sample output of a basicuser I just created without sudo, that then tried to run service alsa-state restart . The output tells you all that you may need to know, and I put the important parts (date, session, FAILED, service name, username) in bold
foot@BOOT:~# cat /var/log/auth.log | grep service | grep FAILED
Mar 1 21:13:24 BOOT polkitd(authority=local): Operator of
unix-session:6 FAILED to authenticate to gain authorization for
action org.freedesktop.systemd1.manage-units for
system-bus-name::1.255 [systemctl start alsa-state.service]
(owned by unix-user:basicuser)
The auth.log file will tell you all that you need to know regarding authorization failures including services and login attempts.
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
add a comment |
I am a little confused by your question as /var/log/auth.log already logs denied service stop/start by users without permission.
If you want to only see the service related events and only FAILED attempts, you can run as
$sudo cat /var/log/auth.log | grep service | grep FAILED
Here is a sample output of a basicuser I just created without sudo, that then tried to run service alsa-state restart . The output tells you all that you may need to know, and I put the important parts (date, session, FAILED, service name, username) in bold
foot@BOOT:~# cat /var/log/auth.log | grep service | grep FAILED
Mar 1 21:13:24 BOOT polkitd(authority=local): Operator of
unix-session:6 FAILED to authenticate to gain authorization for
action org.freedesktop.systemd1.manage-units for
system-bus-name::1.255 [systemctl start alsa-state.service]
(owned by unix-user:basicuser)
The auth.log file will tell you all that you need to know regarding authorization failures including services and login attempts.
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
I am a little confused by your question as /var/log/auth.log already logs denied service stop/start by users without permission.
If you want to only see the service related events and only FAILED attempts, you can run as
$sudo cat /var/log/auth.log | grep service | grep FAILED
Here is a sample output of a basicuser I just created without sudo, that then tried to run service alsa-state restart . The output tells you all that you may need to know, and I put the important parts (date, session, FAILED, service name, username) in bold
foot@BOOT:~# cat /var/log/auth.log | grep service | grep FAILED
Mar 1 21:13:24 BOOT polkitd(authority=local): Operator of
unix-session:6 FAILED to authenticate to gain authorization for
action org.freedesktop.systemd1.manage-units for
system-bus-name::1.255 [systemctl start alsa-state.service]
(owned by unix-user:basicuser)
The auth.log file will tell you all that you need to know regarding authorization failures including services and login attempts.
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
edited Mar 2 at 2:45
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
answered Mar 2 at 2:32
BarBar1234BarBar1234
1495
1495
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503780%2fhow-to-log-failure-to-start-stop-a-service%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It seems like this isn't a Security Question and belongs more to a StackExchange that covers the administration of Linux Servern.
– Serverfrog
Mar 1 at 13:04