Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me. So, thanks in advantage.
For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!) I was reading over the internet and Fedora related posts and I found [1] that the better way to log users commands, is to add a filter for the execve system call.
I'm trying to add a rule like this in the /etc/audit/audit.rules (avoiding the root commands and crons etc) -a always,entry -S execve -F auid>=500
But it doesn't work for me :(
I think that I have two "things" or problems.
First it doesn't work the ">=" auid filter (and sometimes I have the auid "unset" so anyway it's not working) I fixed this adding several rules like: -a always,entry -S execve -F auid=1000 -a always,entry -S execve -F auid=1001 -a always,entry -S execve -F auid=1002 -a always,entry -S execve -F auid=1003 ... and so on
And second, I have a lot of additional context information and I don't want It. If I can have a simple list like: user command arguments and (less important) path it's great. I do some research and again I found [2] this paragraph:
type=SYSCALL ... type=CWD ... type=PATH...
The above event, a simple less /var/log/audit/audit.log, wrote three messages to the log. All of them are closely linked together and you would not be able to make sense of one of them without the others. The first message reveals the following information:
Confirming that I can't reduce de amount of additional information.
Thanks again and excuse me for my English ;) Damian.
[0] That's way I can't use sa
[1] For example: http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
[2] It is a complete document about audit made by novell: www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf
On 01/11/2010 10:42 AM, Damian Montaldo wrote:
Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me. So, thanks in advantage.
For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!) I was reading over the internet and Fedora related posts and I found [1] that the better way to log users commands, is to add a filter for the execve system call.
I'm trying to add a rule like this in the /etc/audit/audit.rules (avoiding the root commands and crons etc) -a always,entry -S execve -F auid>=500
But it doesn't work for me :(
I think that I have two "things" or problems.
First it doesn't work the ">=" auid filter (and sometimes I have the auid "unset" so anyway it's not working) I fixed this adding several rules like: -a always,entry -S execve -F auid=1000 -a always,entry -S execve -F auid=1001 -a always,entry -S execve -F auid=1002 -a always,entry -S execve -F auid=1003 .. and so on
And second, I have a lot of additional context information and I don't want It. If I can have a simple list like: user command arguments and (less important) path it's great. I do some research and again I found [2] this paragraph:
type=SYSCALL ... type=CWD ... type=PATH...
The above event, a simple less /var/log/audit/audit.log, wrote three messages to the log. All of them are closely linked together and you would not be able to make sense of one of them without the others. The first message reveals the following information:
Confirming that I can't reduce de amount of additional information.
Thanks again and excuse me for my English ;) Damian.
[0] That's way I can't use sa
[1] For example: http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
[2] It is a complete document about audit made by novell: www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I think you want the linux-audit@redhat.com list for this question.
On Mon, Jan 11, 2010 at 12:51 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 01/11/2010 10:42 AM, Damian Montaldo wrote:
Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me. So, thanks in advantage.
For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!) I was reading over the internet and Fedora related posts and I found [1] that the better way to log users commands, is to add a filter for the execve system call.
I'm trying to add a rule like this in the /etc/audit/audit.rules (avoiding the root commands and crons etc) -a always,entry -S execve -F auid>=500
But it doesn't work for me :(
I think that I have two "things" or problems.
First it doesn't work the ">=" auid filter (and sometimes I have the auid "unset" so anyway it's not working) I fixed this adding several rules like: -a always,entry -S execve -F auid=1000 -a always,entry -S execve -F auid=1001 -a always,entry -S execve -F auid=1002 -a always,entry -S execve -F auid=1003 .. and so on
And second, I have a lot of additional context information and I don't want It. If I can have a simple list like: user command arguments and (less important) path it's great. I do some research and again I found [2] this paragraph:
type=SYSCALL ... type=CWD ... type=PATH...
The above event, a simple less /var/log/audit/audit.log, wrote three messages to the log. All of them are closely linked together and you would not be able to make sense of one of them without the others. The first message reveals the following information:
Confirming that I can't reduce de amount of additional information.
Thanks again and excuse me for my English ;) Damian.
[0] That's way I can't use sa
[1] For example: http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
[2] It is a complete document about audit made by novell: www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I think you want the linux-audit@redhat.com list for this question.
Yes thanks, but I try to subscribe to that list 3 times starting from the last friday...
Subscribing to Linux-audit Subscribe to Linux-audit by filling out the following form. This is a closed list, which means your subscription will be held for approval. You will be notified of the list moderator's decision by email. This is also a hidden list, which means that the list of members is available only to the list administrator.
I don't know why a list needs to be "closed and moderated" :(
Thanks again.
On Mon, Jan 11, 2010 at 4:42 PM, Damian Montaldo damianmontaldo@gmail.comwrote:
Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me.
I think no. Exists a dedicated mailing list on the audit subject. BTW, see if this link can help https://bugzilla.redhat.com/show_bug.cgi?id=483086
hth
Damian,
For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!)
I'm not quite sure this is what you want, but as you are all ears...
TOMOYO Linux (version 1.7) has the capability to collect detailed information including command line arguments and environment variables. The following was obtained on Fedora 12 (with TOMOYO Linux kernel).
Caller Program = /bin/bash Process Status = pid=1273 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 Requested Program = /bin/ls argc=4 envc=24 argv[0] = "ls" argv[1] = "--color=auto" argv[2] = "-l" argv[3] = "/" envp[0] = "HOSTNAME=tomoyo" envp[1] = "SELINUX_ROLE_REQUESTED=" envp[2] = "TERM=vt100" envp[3] = "SHELL=/bin/bash" envp[4] = "HISTSIZE=1000" envp[5] = "SSH_CLIENT=192.168.99.1\04041807\04022" envp[6] = "SELINUX_USE_CURRENT_RANGE=" envp[7] = "SSH_TTY=/dev/pts/0" envp[8] = "USER=root" envp[9] = "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35: *.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:" envp[10] = "MAIL=/var/spool/mail/root" envp[11] = "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" envp[12] = "PWD=/root" envp[13] = "LANG=en_US.UTF-8" envp[14] = "SELINUX_LEVEL_REQUESTED=" envp[15] = "SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass" envp[16] = "HISTCONTROL=ignoreboth" envp[17] = "SHLVL=1" envp[18] = "HOME=/root" envp[19] = "LOGNAME=root" envp[20] = "SSH_CONNECTION=192.168.99.1\04041807\040192.168.99.136\04022" envp[21] = "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" envp[22] = "G_BROKEN_FILENAMES=1" envp[23] = "_=/bin/ls"
If these are too much for your needs, you can pick up the fields you need, of course.
For detailed information, please refer the following page. http://tomoyo.sourceforge.jp/1.7/ssh-recording-cmdline.html.en
Best regards, Toshiharu Harada haradats@gmail.com
selinux@lists.fedoraproject.org