Internal commands track in AuditD - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Internal commands track in AuditD

auditd process memory leak

Duplicate Rule situation

Muthamilan Sargunaanandan

Sunday, 20 June 2021 Sun, 20 Jun '21

3:42 p.m.

Hello SMEs, I would like to add the Internal commands (example cd , |, > and etc) track in AuditD. Can I get the auditd rules to trace the user commands including the internal commands. Thanks in advance, Muthu

Attachments:

attachment.html (text/html — 322 bytes)

Reply

Show replies by date

Richard Guy Briggs

Monday, 21 June Mon, 21 Jun

8:26 a.m.

On 2021-06-20 15:42, Muthamilan Sargunaanandan wrote:

Hello SMEs,

Hi Muthu,

I would like to add the Internal commands (example cd , |, > and etc) track in AuditD.

Thanks for your question. This can be a real challenge.

Can I get the auditd rules to trace the user commands including the internal commands.

Since these are built-in to many shells, the processes running the shells themselves would need to be monitored. Other filters monitoring specific files or users would likely be more helpful. There may be a need to provide system-level (/etc/* defaults) to those shells to restrict their functionality if they prove to be a liability.

Thanks in advance, Muthu

- RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

Reply

Steve Grubb

12:16 p.m.

On Sunday, June 20, 2021 4:42:48 PM EDT Muthamilan Sargunaanandan wrote:

I would like to add the Internal commands (example cd , |, > and etc) track in AuditD.

Internal to what? Auditd just logs events to disk. The kernel is what decides what should be logged. The kernel's view is pretty much what you'd see in strace output. If there is something in the strace that is significant, a syscall rule can be written for it.

Can I get the auditd rules to trace the user commands including the internal commands.

The kernel doesn't have visibility into the meaning of anything users do. But what it can do is record any keystrokes that a user may type regardless of what program is receiving the characters. You can look into pam_tty_audit if you want to do that. It will record these as TTY events that you can later post process -Steve

Reply

1279

days inactive

1280

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

2 comments

3 participants

tags (0)

participants (3)

Muthamilan Sargunaanandan
Richard Guy Briggs
Steve Grubb