On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
My aim is to audit only commands executed by root (interactively) and
avc
denied messages (selinux)
I have some questions to help clarify. Command executed by root, or the root
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!=
-1. (the
audit system treats all uid as unsigned numbers therefore auid = -1 is a large
unsigned number.)
Also when you say commands, what do you mean? What root types on the console?
What if that is a shell script that in turn executes many other programs and
scripts?
Some details about my audit-test-system and current audit
configuration.
<snip>
### auditctl -l:
-a never,exit -S all -F auid!=-1
This says you want to mark all user processes permanently unauditable.
-a never,exit -S all -F auid!=0 -F auid<500
I don't think this adds anything because the previous one includes this.
-a always,exit -F arch=x86_64 -S execve -F euid=0 -F
key=root-commands
-a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
Now you want execve run by anything that's not a user, meaning cron jobs and
system services.
-a always,exclude -F msgtype=CWD
And this says you don't care about reconstructing relative paths.
### auditctl -s:
AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
lost=0 backlog=0
### /etc/init.d/auditd status:
auditd (pid 4232) is running...
### grep -Hrn loginuid /etc/pam.d/:
/etc/pam.d/login:9:session required pam_loginuid.so
/etc/pam.d/sshd:9:session required pam_loginuid.so
/etc/pam.d/remote:9:session required pam_loginuid.so
/etc/pam.d/ssh-keycat:4:session required pam_loginuid.so
-----
MY QUESTION:
With the above listed configuration I still get audit.log entries with
auid=-1 including cron and anacron entries.
Based on your rules, you are getting exactly what you programmed it to do.
EXAMPLE AUDIT.LOG SNIPPET:
type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
auid=4294967295 ses=4294967295
<snip>
What am I missing or doing wrong? I also tried working with
pam_tty_audit
and aureport --tty but that is too detailed as every keypress gets logged.
Sudo will log every command run through it. Maybe that is closer? The execve
approach will log everything, but it will also log all subscripts that are run
as a result of what's entered on the command line. That would be:
-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0
No other rules.
-Steve