On Wednesday, June 22, 2016 08:21:27 AM Skwar Alexander wrote:
Hello Steve and all :)
Am 20.06.2016 um 17:32 schrieb Steve Grubb:
> On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
>> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
>> and v2.4.5), we'd like to log all the commands that root has run, or
>> that were run as root.
>>
>> For that, I added the following rules:
>>
>> # Log all commands run as (or by) root
>> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
>> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
>
> That will also get daemon child processes. Normally you would want to
> separate routine system activity from user initiated activity.
Yeah, by now, I figured as much :) It's really logging quite a lot.
These two rules can be found on a lot of places, eg. here
http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-pr
oduction-servers and there
http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-root-p
rivileges/
What would be a better configuration? I now have changed it to:
# Log all commands run AS root
-a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root
-a exit,always -F arch=b64 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k
exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k
exec_as_root
That is assuming that users start at 1000. you are still going to get a lot
because you might run a shell script which runs hundreds of more shell scripts
and commands.
What some people decide on is to use the keystroke logging so that they can
see just the high level commands.
-Steve