Using audit to log all users commands

Daniel J Walsh dwalsh at redhat.com
Mon Jan 11 15:51:22 UTC 2010 

On 01/11/2010 10:42 AM, Damian Montaldo wrote:
> Hi, this is my first message to this list and I hope that this is the
> correct place to post it, don't? If is not, please tell me.
> So, thanks in advantage.
> 
> For auditing purposes, I want to log in a server all the users
> commands and all their arguments [0] using audit (and if is someone
> have a better idea, I'm all ears!)
> I was reading over the internet and Fedora related posts and I found
> [1] that the better way to log users commands, is to add a filter for
> the execve system call.
> 
> I'm trying to add a rule like this in the /etc/audit/audit.rules
> (avoiding the root commands and crons etc)
> -a always,entry -S execve -F auid>=500
> 
> But it doesn't work for me :(
> 
> I think that I have two "things" or problems.
> 
> First it doesn't work the ">=" auid filter (and sometimes I have the
> auid "unset" so anyway it's not working)
> I fixed this adding several rules like:
> -a always,entry -S execve -F auid=1000
> -a always,entry -S execve -F auid=1001
> -a always,entry -S execve -F auid=1002
> -a always,entry -S execve -F auid=1003
> .. and so on
> 
> And second, I have a lot of additional context information and I don't want It.
> If I can have a simple list like: user command arguments and (less
> important) path it's great.
> I do some research and again I found [2] this paragraph:
> 
> type=SYSCALL ...
> type=CWD ...
> type=PATH...
> 
> The above event, a simple less /var/log/audit/audit.log, wrote three
> messages to the log. All of them are closely linked together and you
> would not be able
> to make sense of one of them without the others. The first message
> reveals the following
> information:
> 
> Confirming that I can't reduce de amount of additional information.
> 
> Thanks again and excuse me for my English ;)
> Damian.
> 
> [0] That's way I can't use sa
> 
> [1] For example:
> http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
> 
> [2] It is a complete document about audit made by novell:
> www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
I think you want the linux-audit at redhat.com list for this question.

More information about the selinux mailing list