* Monitoring "root-level" commands
@ 2016-05-18 12:18 Warron S French
2016-05-18 12:42 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Warron S French @ 2016-05-18 12:18 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 584 bytes --]
My Special Security Team, not being UNIX/Linux savvy asked me if I could put into place audit rules that monitor "Root-Level" commands.
I don't know of any specific identifier for such a term, and the closest thing I could come up with was monitoring those files that fall under /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to approach this task?
I figured I would use a rule such as:
-w /sbin/ -p rawx -k watch_root_commands (I used rawx, to account for replacement by a hacker)
Thank you in advance,
Warron French, MBA, SCSA
[-- Attachment #1.2: Type: text/html, Size: 2906 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Monitoring "root-level" commands
2016-05-18 12:18 Monitoring "root-level" commands Warron S French
@ 2016-05-18 12:42 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2016-05-18 12:42 UTC (permalink / raw)
To: linux-audit
On Wednesday, May 18, 2016 12:18:21 PM Warron S French wrote:
> My Special Security Team, not being UNIX/Linux savvy asked me if I could put
> into place audit rules that monitor "Root-Level" commands.
>
> I don't know of any specific identifier for such a term, and the closest
> thing I could come up with was monitoring those files that fall under
> /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to
> approach this task?
Typically this is handled by monitoring what root runs. One huge difference
between windows and linux is that running one command may spawn 20 or 30
scripts and helpers. So, its easier to use the keystroke logging to what the
root user is doing.
To enable this, you would add:
session required pam_tty_audit.so disable=* enable=root
to the pam stack for su if that's how admins get the shell. If sudo gives them
shell access, then you can add it there, too. Sudo normally logs the commands
and parameters that it runs. If you are given a shell, though, all it logs is
it started a shell.
-Steve
> I figured I would use a rule such as:
> -w /sbin/ -p rawx -k watch_root_commands (I used rawx, to
> account for replacement by a hacker)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-18 12:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-18 12:18 Monitoring "root-level" commands Warron S French
2016-05-18 12:42 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).