From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Logging from where user connected?
Date: Mon, 20 Jun 2016 11:32:57 -0400 [thread overview]
Message-ID: <1549599.MSXfpVDkY1@x2> (raw)
In-Reply-To: <01baeee4-2b49-2dbe-0c6d-895783271173@everyware.ch>
On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> and v2.4.5), we'd like to log all the commands that root has run, or
> that were run as root.
>
> For that, I added the following rules:
>
> # Log all commands run as (or by) root
> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
That will also get daemon child processes. Normally you would want to separate
routine system activity from user initiated activity.
> When I now do an "ausearch -k exec_root -i", I get:
>
> …
<snip>
> Now I'd like to know, from where that user connected. That user is
> on tty=pts1, so do I have to use last?
Nope. This was thought about long ago.
> local@app01-test ~ % last pts/1
> local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in
> …
>
>
>
> That's fine, as long as /var/log/wtmp* exists. But is there maybe a
> way to get that information right away, without having to consult a
> different logfile (eg. /var/log/wtmp)?
This has been long considered a user space post processing issue. When someone
logs in, a series of events occur. You can find the description here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events
Near the beginning you get USER_AUTH which is recorded by pam and it has the
IP address or terminal if it were a console.
There is a program, aulast, which tracks the sessions. It does show the origin
of the user session. Also, if you give it the --proof commandline option, it
will give you the ausearch command to examine the whole session.
> Additionally, if I'd like auditd to do remote logging (ie. send
> logs off of the system), I'd have to use audispd, wouldn't I?
Yes.
> How would I then get hold of the right wtmp file?
You don't need it.
-Steve
> I've got the feeling, that this might become quite complicated, if numerous
> servers would do remote logging to one central system...
>
> Would be quite thankful, if somebody could help :)
>
> Thanks a lot,
> Alexander
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2016-06-20 15:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 13:54 Logging from where user connected? Skwar Alexander
2016-06-20 15:32 ` Steve Grubb [this message]
2016-06-22 6:21 ` Skwar Alexander
2016-06-22 15:02 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1549599.MSXfpVDkY1@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.