* audit.rules @ 2012-02-08 14:30 Jender, Raymond [USA] 2012-02-08 14:59 ` audit.rules Steve Grubb 2012-02-08 16:53 ` audit.rules Peter Moody 0 siblings, 2 replies; 4+ messages in thread From: Jender, Raymond [USA] @ 2012-02-08 14:30 UTC (permalink / raw) To: linux-audit@redhat.com [-- Attachment #1.1: Type: text/plain, Size: 104 bytes --] How would you set up audit.rules to log any action by administrators? Thanks, Ray [-- Attachment #1.2: Type: text/html, Size: 1867 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit.rules 2012-02-08 14:30 audit.rules Jender, Raymond [USA] @ 2012-02-08 14:59 ` Steve Grubb 2012-02-08 16:53 ` audit.rules Peter Moody 1 sibling, 0 replies; 4+ messages in thread From: Steve Grubb @ 2012-02-08 14:59 UTC (permalink / raw) To: linux-audit; +Cc: Jender, Raymond [USA] On Wednesday, February 08, 2012 09:30:07 AM Jender, Raymond [USA] wrote: > How would you set up audit.rules to log any action by administrators? You can use pam_tty_audit. Sudo is also patched to log the comands run by it. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit.rules 2012-02-08 14:30 audit.rules Jender, Raymond [USA] 2012-02-08 14:59 ` audit.rules Steve Grubb @ 2012-02-08 16:53 ` Peter Moody 2012-02-08 18:40 ` audit.rules Steve Grubb 1 sibling, 1 reply; 4+ messages in thread From: Peter Moody @ 2012-02-08 16:53 UTC (permalink / raw) To: Jender, Raymond [USA]; +Cc: linux-audit@redhat.com I think there are a few ways you can do this with auditd: (These both assume you've setup pam_loginuid) If your admins are a finite set of uids, you could do something like auditctl -a exit,always -F auid=<admin1> -F success=1 auditctl -a exit,always -F auid=<admin2> -F success=1 ... auditctl -a exit,always -F auid=<adminN> -F success=1 or if by administrators you mean actions run as root (eg, with sudo or su), you can do something like auditctl -a exit,always -F auid=!0 -F euid=0 -F success=1 You'll probably want to restrict which syscalls you care about, eg open/execve/chmod/unlink whatever. Those rules as they're written will log a lot more than you likely want. On Wed, Feb 8, 2012 at 6:30 AM, Jender, Raymond [USA] <jender_raymond@bah.com> wrote: > How would you set up audit.rules to log any action by administrators? > > > > Thanks, > > > > Ray > > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit.rules 2012-02-08 16:53 ` audit.rules Peter Moody @ 2012-02-08 18:40 ` Steve Grubb 0 siblings, 0 replies; 4+ messages in thread From: Steve Grubb @ 2012-02-08 18:40 UTC (permalink / raw) To: linux-audit; +Cc: Jender, Raymond [USA] On Wednesday, February 08, 2012 11:53:44 AM Peter Moody wrote: > I think there are a few ways you can do this with auditd: > > (These both assume you've setup pam_loginuid) > > If your admins are a finite set of uids, you could do something like > > auditctl -a exit,always -F auid=<admin1> -F success=1 > auditctl -a exit,always -F auid=<admin2> -F success=1 > ... > auditctl -a exit,always -F auid=<adminN> -F success=1 This audits all syscalls of all programs run by the admin. Normally, this is not what people want or desire. Normally when its asked about how you log administrative actions, the intended effect is something like the bash history file. They want to know just what the admin did. Unfortunately, this can be easily tricked. The admin can open wish or a python shell and just start typing commands. This does not get recorded in a bash history. So, what you have to do is record the keystrokes. A lot of times these security requirements come from places where they run both windows and linux. So, it sounds innocent. But think about windows. There are only so many apps and its not like the OS depends on shell scripting. So, what sounds like an easy to do requirement in windows becomes impossible in linux. You have so many execve's with normal shell scripts that you get way more data than you want if you audit on execve. So, the basic answer is that to weed this down to just the good stuff, you need to do the keystroke logging or if everything is defined in sudo commands, then sudo will take care of this for you. > or if by administrators you mean actions run as root (eg, with sudo or > su), you can do something like > > auditctl -a exit,always -F auid=!0 -F euid=0 -F success=1 Again a mountain of data is not good for people. I think there is a clarification to NISPOM that says too much data is just as bad as not enough data. Making searching hard to find what you are after is tatamount to not recording it becuase you can't find it later. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-02-08 18:40 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-02-08 14:30 audit.rules Jender, Raymond [USA] 2012-02-08 14:59 ` audit.rules Steve Grubb 2012-02-08 16:53 ` audit.rules Peter Moody 2012-02-08 18:40 ` audit.rules Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox