Re: auditing activity where uid==0
On Monday 19 October 2009 11:02:33 am Rich Whitcroft wrote:
Here's my current rule, which is working, but is producing a lot
of
extra log that I'd like to suppress:
-a entry,always -S execve -F euid=0
I assume the intention is to log all programs executed when someone is running
as root?
I'm wondering if there's a way to limit this to only audit
events that
happen from a real tty, e.g. a human user.
-a entry,always -S execve -F euid=0 -F auid>=500 -F auid!=4294967295
The loginuid is only set for real logins. But if they issue "service httpd
restart", then apache has their loginuid, too, and you will start getting
apache events.
I'm getting lots of extraneous chatter from sshd, automount, and
cron, all
of which are from tty=(none), but I'm not sure it's possible to filter on
tty...
The way that we suggest auditing the actions of a root user is by using the
tty audit capability. This is a little more specific about what is really
happening. For example, someone could start a python shell and start issuing
commands. If you audit by execve, then all you see is python start up and then
you see nothing else. Also, bash can do networking. Its possible to transfer
files using bash primitives that you won't pick up by auditing execve syscalls.
Awk is also network aware...
-Steve