From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Logging from where user connected?
Date: Wed, 22 Jun 2016 11:02:59 -0400
Message-ID: <1520894.9NWeKXlUi2@x2>
References: <01baeee4-2b49-2dbe-0c6d-895783271173@everyware.ch>
	<1549599.MSXfpVDkY1@x2>
	<6f12c6f4-6355-fe04-c8a8-0b9df995cc8c@everyware.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <6f12c6f4-6355-fe04-c8a8-0b9df995cc8c@everyware.ch>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Skwar Alexander <alexander.skwar@everyware.ch>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, June 22, 2016 08:21:27 AM Skwar Alexander wrote:
> Hello Steve and all :)
> 
> Am 20.06.2016 um 17:32 schrieb Steve Grubb:
>  > On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
>  >> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
>  >> and v2.4.5), we'd like to log all the commands that root has run, or
>  >> that were run as root.
>  >> 
>  >> For that, I added the following rules:
>  >> 
>  >> # Log all commands run as (or by) root
>  >> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
>  >> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
>  > 
>  > That will also get daemon child processes. Normally you would want to
>  > separate routine system activity from user initiated activity.
> 
> Yeah, by now, I figured as much :) It's really logging quite a lot.
> These two rules can be found on a lot of places, eg. here
> http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-pr
> oduction-servers and there
> http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-root-p
> rivileges/
> 
> What would be a better configuration? I now have changed it to:
> 
> # Log all commands run AS root
> -a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
> -a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root

-a exit,always -F arch=b64 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k exec_as_root

That is assuming that users start at 1000. you are still going to get a lot
because you might run a shell script which runs hundreds of more shell scripts
and commands.

What some people decide on is to use the keystroke logging so that they can
see just the high level commands.

-Steve