Hello Steve!

Thank you for your feedback. Somehow I still do not fully understand how the filtering with -F works.

Regarding your questions: commands executed by root user, including subshells, subcmds from script are fine for me.

I altered my audit.rules as you suggested to the following, no other rules:
auditctl -l:
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0

I get entries from crond like the following in audit.log:
type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

What I do not get now are commands executed as root user from ptsX/ttyX.

root@myhost ~# cat /etc/passwd # no audit entry
root@myhost ~# service rsyslog stop # no audit entry
root@myhost ~# less /var/log/audit/audit.log # no audit entry
root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE entry

Cheers,
Orhan


2015-11-17 20:55 GMT+01:00 Steve Grubb <sgrubb@redhat.com>:
On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> My aim is to audit only commands executed by root (interactively) and avc
> denied messages (selinux)

I have some questions to help clarify. Command executed by root, or the root
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. (the
audit system treats all uid as unsigned numbers therefore auid = -1 is a large
unsigned number.)

Also when you say commands, what do you mean? What root types on the console?
What if that is a shell script that in turn executes many other programs and
scripts?


> Some details about my audit-test-system and current audit configuration.

<snip>

> ### auditctl -l:
> -a never,exit -S all -F auid!=-1

This says you want to mark all user processes permanently unauditable.

> -a never,exit -S all -F auid!=0 -F auid<500

I don't think this adds anything because the previous one includes this.

> -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands

Now you want execve run by anything that's not a user, meaning cron jobs and
system services.

> -a always,exclude -F msgtype=CWD

And this says you don't care about reconstructing relative paths.


> ### auditctl -s:
> AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> lost=0 backlog=0
>
> ### /etc/init.d/auditd status:
> auditd (pid  4232) is running...
>
> ### grep -Hrn loginuid /etc/pam.d/:
> /etc/pam.d/login:9:session    required     pam_loginuid.so
> /etc/pam.d/sshd:9:session    required     pam_loginuid.so
> /etc/pam.d/remote:9:session    required     pam_loginuid.so
> /etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so
>
> -----
>
> MY QUESTION:
> With the above listed configuration I still get audit.log entries with
> auid=-1 including cron and anacron entries.

Based on your rules, you are getting exactly what you programmed it to do.


> EXAMPLE AUDIT.LOG SNIPPET:
> type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> auid=4294967295 ses=4294967295

<snip>

> What am I missing or doing wrong? I also tried working with pam_tty_audit
> and aureport --tty but that is too detailed as every keypress gets logged.

Sudo will log every command run through it. Maybe that is closer? The execve
approach will log everything, but it will also log all subscripts that are run
as a result of what's entered on the command line. That would be:

-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0

No other rules.

-Steve