My Special Security Team, not being UNIX/Linux savvy asked me if I could put into place audit rules that monitor “Root-Level” commands.

 

I don’t know of any specific identifier for such a term, and the closest thing I could come up with was monitoring those files that fall under /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to approach this task?

 

I figured I would use a rule such as:

-w /sbin/   -p rawx  -k watch_root_commands                (I used rawx, to account for replacement by a hacker)

 

 

Thank you in advance,

 

Warron French, MBA, SCSA