Hi Peter,

Currently i am tring to achive the same through below configuration on audit.rules file ...

# Audit all execve calls
-a entry,always -S execve
-a entry,never
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exclude,always -F msgtype=CRED_DISP

But the problem on above rule is, it records all the SYSCALL and EXECV calls. Which increasing the log file size.

So my question is why normal users audit event logs cant be captured as a "type=USER_TTY" , where as root logs can be captured similarway.

Some logs for your reference:


type=EXECVE msg=audit(1350523801.169:137779): a0="/usr/lib/sa/sa1" a1="1" a2="1"

type=SYSCALL msg=audit(1350523801.169:137780): arch=40000003 syscall=11 success=yes exit=0 a0=86e0ec0 a1=86e08b8 a2=86e0ed8 a3=86e08b8 items=2 ppid=18623 pid=18624 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sadc" exe="/usr/lib/sa/sadc" subj=kernel key=(null)

type=EXECVE msg=audit(1350523801.169:137780): a0="/usr/lib/sa/sadc" a1="-F" a2="-L" a3="1" a4="1" a5="-"

type=USER_END msg=audit(1350523801.185:137781): user pid=18623 uid=0 auid=4294967295 subj=kernel msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

type=USER_TTY msg=audit(1350524060.169:137782): user pid=18576 uid=0 auid=655 subj=kernel msg='cat /etc/audit/audit.rules '

type=SYSCALL msg=audit(1350524060.169:137783): arch=40000003 syscall=11 success=yes exit=0 a0=8cc4780 a1=8cc4838 a2=8cbd860 a3=0 items=2 ppid=18576 pid=18625 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="cat" exe="/bin/cat" subj=kernel key=(null)

type=EXECVE msg=audit(1350524060.169:137783): a0="cat" a1="/etc/audit/audit.rules"

type=USER_TTY msg=audit(1350524156.789:137784): user pid=18576 uid=0 auid=655 subj=kernel msg='tail -f /var/log/audit/audit.log'
type=SYSCALL msg=audit(1350524156.789:137785): arch=40000003 syscall=11 success=yes exit=0 a0=8cc4810 a1=8cc47d0 a2=8cbd860 a3=0 items=2 ppid=18576 pid=18626 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="tail" exe="/usr/bin/tail" subj=kernel key=(null)

type=EXECVE msg=audit(1350524156.789:137785): a0="tail" a1="-f" a2="/var/log/audit/audit.log"

type=USER_END msg=audit(1350524172.558:137786): user pid=18249 uid=0 auid=1600 subj=kernel msg='PAM: session close acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)'

type=SYSCALL msg=audit(1350524176.426:137787): arch=40000003 syscall=11 success=yes exit=0 a0=81f102e8 a1=81f12a60 a2=81f10300 a3=4 items=2 ppid=1045 pid=18627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=kernel key=(null)

type=EXECVE msg=audit(1350524176.426:137787): a0="/usr/sbin/sshd" a1="-R"

type=USER_ACCT msg=audit(1350524176.642:137788): user pid=18627 uid=0 auid=4294967295 subj=kernel msg='PAM: accounting acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)'

type=CRED_ACQ msg=audit(1350524176.642:137789): user pid=18627 uid=0 auid=4294967295 subj=kernel msg='PAM: setcred acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)'

type=USER_START msg=audit(1350524176.642:137790): user pid=18627 uid=0 auid=1600 subj=kernel msg='PAM: session open acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)'

type=CRED_REFR msg=audit(1350524176.642:137791): user pid=18629 uid=0 auid=1600 subj=kernel msg='PAM: setcred acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)'

On Wed, Oct 17, 2012 at 8:07 PM, Peter Moody <pmoody@google.com> wrote:

What rules are currently installed and what logs are you seeing?

On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar@gmail.com> wrote:

Hi Team,

I have enabled the audit logs recently ... Currently the auditd daemon is logging all the event and syscalls done based on default rule set ...

But currently it only record the events done by the root user or by the sudo ...

Need your help to configure the same for Group wise ... so that i can track the group wise events done , rather then adding a rule for each individual users.


--

Thanks & Regards,

- Koresh




--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit



--


Thanks & Regards,

- Koresh