From: Steve Grubb <sgrubb@redhat.com>
To: Skwar Alexander <alexander.skwar@everyware.ch>
Cc: linux-audit@redhat.com
Subject: Re: Logging from where user connected?
Date: Wed, 22 Jun 2016 11:02:59 -0400 [thread overview]
Message-ID: <1520894.9NWeKXlUi2@x2> (raw)
In-Reply-To: <6f12c6f4-6355-fe04-c8a8-0b9df995cc8c@everyware.ch>
On Wednesday, June 22, 2016 08:21:27 AM Skwar Alexander wrote:
> Hello Steve and all :)
>
> Am 20.06.2016 um 17:32 schrieb Steve Grubb:
> > On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> >> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> >> and v2.4.5), we'd like to log all the commands that root has run, or
> >> that were run as root.
> >>
> >> For that, I added the following rules:
> >>
> >> # Log all commands run as (or by) root
> >> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
> >> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
> >
> > That will also get daemon child processes. Normally you would want to
> > separate routine system activity from user initiated activity.
>
> Yeah, by now, I figured as much :) It's really logging quite a lot.
> These two rules can be found on a lot of places, eg. here
> http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-pr
> oduction-servers and there
> http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-root-p
> rivileges/
>
> What would be a better configuration? I now have changed it to:
>
> # Log all commands run AS root
> -a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
> -a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root
-a exit,always -F arch=b64 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k exec_as_root
That is assuming that users start at 1000. you are still going to get a lot
because you might run a shell script which runs hundreds of more shell scripts
and commands.
What some people decide on is to use the keystroke logging so that they can
see just the high level commands.
-Steve
prev parent reply other threads:[~2016-06-22 15:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 13:54 Logging from where user connected? Skwar Alexander
2016-06-20 15:32 ` Steve Grubb
2016-06-22 6:21 ` Skwar Alexander
2016-06-22 15:02 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520894.9NWeKXlUi2@x2 \
--to=sgrubb@redhat.com \
--cc=alexander.skwar@everyware.ch \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox