Re: Logging from where user connected?
On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
and v2.4.5), we'd like to log all the commands that root has run, or
that were run as root.
For that, I added the following rules:
# Log all commands run as (or by) root
-a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
-a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
That will also get daemon child processes. Normally you would want to separate
routine system activity from user initiated activity.
When I now do an "ausearch -k exec_root -i", I get:
…
<snip>
Now I'd like to know, from where that user connected. That user
is
on tty=pts1, so do I have to use last?
Nope. This was thought about long ago.
local@app01-test ~ % last pts/1
local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in
…
That's fine, as long as /var/log/wtmp* exists. But is there maybe a
way to get that information right away, without having to consult a
different logfile (eg. /var/log/wtmp)?
This has been long considered a user space post processing issue. When someone
logs in, a series of events occur. You can find the description here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-L...
Near the beginning you get USER_AUTH which is recorded by pam and it has the
IP address or terminal if it were a console.
There is a program, aulast, which tracks the sessions. It does show the origin
of the user session. Also, if you give it the --proof commandline option, it
will give you the ausearch command to examine the whole session.
Additionally, if I'd like auditd to do remote logging (ie. send
logs off of the system), I'd have to use audispd, wouldn't I?
Yes.
How would I then get hold of the right wtmp file?
You don't need it.
-Steve
I've got the feeling, that this might become quite complicated,
if numerous
servers would do remote logging to one central system...
Would be quite thankful, if somebody could help :)
Thanks a lot,
Alexander
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit