From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Logging from where user connected?
Date: Mon, 20 Jun 2016 11:32:57 -0400 [thread overview]
Message-ID: <1549599.MSXfpVDkY1@x2> (raw)
In-Reply-To: <01baeee4-2b49-2dbe-0c6d-895783271173@everyware.ch>
On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> and v2.4.5), we'd like to log all the commands that root has run, or
> that were run as root.
>
> For that, I added the following rules:
>
> # Log all commands run as (or by) root
> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
That will also get daemon child processes. Normally you would want to separate
routine system activity from user initiated activity.
> When I now do an "ausearch -k exec_root -i", I get:
>
> …
<snip>
> Now I'd like to know, from where that user connected. That user is
> on tty=pts1, so do I have to use last?
Nope. This was thought about long ago.
> local@app01-test ~ % last pts/1
> local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in
> …
>
>
>
> That's fine, as long as /var/log/wtmp* exists. But is there maybe a
> way to get that information right away, without having to consult a
> different logfile (eg. /var/log/wtmp)?
This has been long considered a user space post processing issue. When someone
logs in, a series of events occur. You can find the description here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events
Near the beginning you get USER_AUTH which is recorded by pam and it has the
IP address or terminal if it were a console.
There is a program, aulast, which tracks the sessions. It does show the origin
of the user session. Also, if you give it the --proof commandline option, it
will give you the ausearch command to examine the whole session.
> Additionally, if I'd like auditd to do remote logging (ie. send
> logs off of the system), I'd have to use audispd, wouldn't I?
Yes.
> How would I then get hold of the right wtmp file?
You don't need it.
-Steve
> I've got the feeling, that this might become quite complicated, if numerous
> servers would do remote logging to one central system...
>
> Would be quite thankful, if somebody could help :)
>
> Thanks a lot,
> Alexander
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2016-06-20 15:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 13:54 Logging from where user connected? Skwar Alexander
2016-06-20 15:32 ` Steve Grubb [this message]
2016-06-22 6:21 ` Skwar Alexander
2016-06-22 15:02 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1549599.MSXfpVDkY1@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox