Using audit to log all users commands
Toshiharu Harada
haradats at gmail.com
Tue Jan 12 05:05:59 UTC 2010
Damian,
> For auditing purposes, I want to log in a server all the users
> commands and all their arguments [0] using audit (and if is someone
> have a better idea, I'm all ears!)
I'm not quite sure this is what you want, but as you are all ears...
TOMOYO Linux (version 1.7) has the capability to collect detailed information
including command line arguments and environment variables.
The following was obtained on Fedora 12 (with TOMOYO Linux kernel).
Caller Program = /bin/bash
Process Status = pid=1273 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0
fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0
Requested Program = /bin/ls
argc=4
envc=24
argv[0] = "ls"
argv[1] = "--color=auto"
argv[2] = "-l"
argv[3] = "/"
envp[0] = "HOSTNAME=tomoyo"
envp[1] = "SELINUX_ROLE_REQUESTED="
envp[2] = "TERM=vt100"
envp[3] = "SHELL=/bin/bash"
envp[4] = "HISTSIZE=1000"
envp[5] = "SSH_CLIENT=192.168.99.1\04041807\04022"
envp[6] = "SELINUX_USE_CURRENT_RANGE="
envp[7] = "SSH_TTY=/dev/pts/0"
envp[8] = "USER=root"
envp[9] = "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:
*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:"
envp[10] = "MAIL=/var/spool/mail/root"
envp[11] = "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
envp[12] = "PWD=/root"
envp[13] = "LANG=en_US.UTF-8"
envp[14] = "SELINUX_LEVEL_REQUESTED="
envp[15] = "SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass"
envp[16] = "HISTCONTROL=ignoreboth"
envp[17] = "SHLVL=1"
envp[18] = "HOME=/root"
envp[19] = "LOGNAME=root"
envp[20] = "SSH_CONNECTION=192.168.99.1\04041807\040192.168.99.136\04022"
envp[21] = "LESSOPEN=|/usr/bin/lesspipe.sh\040%s"
envp[22] = "G_BROKEN_FILENAMES=1"
envp[23] = "_=/bin/ls"
If these are too much for your needs, you can pick up the fields you
need, of course.
For detailed information, please refer the following page.
http://tomoyo.sourceforge.jp/1.7/ssh-recording-cmdline.html.en
Best regards,
Toshiharu Harada
haradats at gmail.com
More information about the selinux
mailing list