From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Monitoring "root-level" commands Date: Wed, 18 May 2016 08:42:46 -0400 Message-ID: <2318397.HZZBRemDFY@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, May 18, 2016 12:18:21 PM Warron S French wrote: > My Special Security Team, not being UNIX/Linux savvy asked me if I could put > into place audit rules that monitor "Root-Level" commands. > > I don't know of any specific identifier for such a term, and the closest > thing I could come up with was monitoring those files that fall under > /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to > approach this task? Typically this is handled by monitoring what root runs. One huge difference between windows and linux is that running one command may spawn 20 or 30 scripts and helpers. So, its easier to use the keystroke logging to what the root user is doing. To enable this, you would add: session required pam_tty_audit.so disable=* enable=root to the pam stack for su if that's how admins get the shell. If sudo gives them shell access, then you can add it there, too. Sudo normally logs the commands and parameters that it runs. If you are given a shell, though, all it logs is it started a shell. -Steve > I figured I would use a rule such as: > -w /sbin/ -p rawx -k watch_root_commands (I used rawx, to > account for replacement by a hacker)