Using audit to log all users commands
Damian Montaldo
damianmontaldo at gmail.com
Mon Jan 11 19:10:44 UTC 2010
On Mon, Jan 11, 2010 at 12:51 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> On 01/11/2010 10:42 AM, Damian Montaldo wrote:
>> Hi, this is my first message to this list and I hope that this is the
>> correct place to post it, don't? If is not, please tell me.
>> So, thanks in advantage.
>>
>> For auditing purposes, I want to log in a server all the users
>> commands and all their arguments [0] using audit (and if is someone
>> have a better idea, I'm all ears!)
>> I was reading over the internet and Fedora related posts and I found
>> [1] that the better way to log users commands, is to add a filter for
>> the execve system call.
>>
>> I'm trying to add a rule like this in the /etc/audit/audit.rules
>> (avoiding the root commands and crons etc)
>> -a always,entry -S execve -F auid>=500
>>
>> But it doesn't work for me :(
>>
>> I think that I have two "things" or problems.
>>
>> First it doesn't work the ">=" auid filter (and sometimes I have the
>> auid "unset" so anyway it's not working)
>> I fixed this adding several rules like:
>> -a always,entry -S execve -F auid=1000
>> -a always,entry -S execve -F auid=1001
>> -a always,entry -S execve -F auid=1002
>> -a always,entry -S execve -F auid=1003
>> .. and so on
>>
>> And second, I have a lot of additional context information and I don't want It.
>> If I can have a simple list like: user command arguments and (less
>> important) path it's great.
>> I do some research and again I found [2] this paragraph:
>>
>> type=SYSCALL ...
>> type=CWD ...
>> type=PATH...
>>
>> The above event, a simple less /var/log/audit/audit.log, wrote three
>> messages to the log. All of them are closely linked together and you
>> would not be able
>> to make sense of one of them without the others. The first message
>> reveals the following
>> information:
>>
>> Confirming that I can't reduce de amount of additional information.
>>
>> Thanks again and excuse me for my English ;)
>> Damian.
>>
>> [0] That's way I can't use sa
>>
>> [1] For example:
>> http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
>>
>> [2] It is a complete document about audit made by novell:
>> www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> I think you want the linux-audit at redhat.com list for this question.
Yes thanks, but I try to subscribe to that list 3 times starting from
the last friday...
Subscribing to Linux-audit
Subscribe to Linux-audit by filling out the following form. This is a
closed list, which means your subscription will be held for approval.
You will be notified of the list moderator's decision by email. This
is also a hidden list, which means that the list of members is
available only to the list administrator.
I don't know why a list needs to be "closed and moderated" :(
Thanks again.
More information about the selinux
mailing list