Re: auditing activity where uid==0

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditing activity where uid==0
Date: Mon, 19 Oct 2009 11:14:45 -0400	[thread overview]
Message-ID: <200910191114.45636.sgrubb@redhat.com> (raw)
In-Reply-To: <4ADC7F89.5030501@uwo.ca>

On Monday 19 October 2009 11:02:33 am Rich Whitcroft wrote:
> Here's my current rule, which is working, but is producing a lot of
> extra log that I'd like to suppress:
> 
> -a entry,always -S execve -F euid=0

I assume the intention is to log all programs executed when someone is running 
as root?

> I'm wondering if there's a way to limit this to only audit events that
> happen from a real tty, e.g. a human user.

-a entry,always -S execve -F euid=0 -F auid>=500 -F auid!=4294967295

The loginuid is only set for real logins. But if they issue "service httpd 
restart", then apache has their loginuid, too, and you will start getting 
apache events.

> I'm getting lots of extraneous chatter from sshd, automount, and cron, all
> of which are from tty=(none), but I'm not sure it's possible to filter on
> tty...

The way that we suggest auditing the actions of a root user is by using the 
tty audit capability. This is a little more specific about what is really 
happening. For example, someone could start a python shell and start issuing 
commands. If you audit by execve, then all you see is python start up and then 
you see nothing else. Also, bash can do networking. Its possible to transfer 
files using bash primitives that you won't pick up by auditing execve syscalls. 
Awk is also network aware...

-Steve

next prev parent reply	other threads:[~2009-10-19 15:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-19 15:02 auditing activity where uid==0 Rich Whitcroft
2009-10-19 15:14 ` Steve Grubb [this message]
2009-12-04 11:08   ` Trevor Vaughan
2009-12-04 14:35     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200910191114.45636.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox