Re: Logging from where user connected?
Hello Steve and all :)
Am 20.06.2016 um 17:32 schrieb Steve Grubb:
On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> and v2.4.5), we'd like to log all the commands that root has run, or
> that were run as root.
>
> For that, I added the following rules:
>
> # Log all commands run as (or by) root
> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
That will also get daemon child processes. Normally you would want to
separate
routine system activity from user initiated activity.
Yeah, by now, I figured as much :) It's really logging quite a lot.
These two rules can be found on a lot of places, eg. here
http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on...
and there
http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-roo...
What would be a better configuration? I now have changed it to:
# Log all commands run AS root
-a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root
Thanks a lot for the pointer to aulast. That was very helpful.
Cheers,
Alexander