3:05 p.m.
-----Original Message-----
While a little more verbose than one might like, couldn't you audit
exec() system calls? That would certainly capture all the commands
issued from a shell. However, you might want to only audit successful
exec()s. As I recall from auditing *nix systems years ago, shells tend
to just start trying to execute a command name along your path and if it
fails, it tries again with the next path (for example, the command
doesn't exist in /usr/local/bin, let's try /usr/bin and then /usr/sbin,
etc.)
This would pick up other exec()s as well, but you should be able to
generate reports to find the ones that were issued by a shell. Just a
thought.
--Tad Taylor
Message: 3
Date: Thu, 26 Apr 2007 11:10:05 -0400
From: Steve Grubb <sgrubb(a)redhat.com>
Subject: Re: Recording user command ?
To: linux-audit(a)redhat.com
Message-ID: <200704261110.05440.sgrubb(a)redhat.com>
Content-Type: text/plain; charset="iso-8859-1"
On Thursday 26 April 2007 10:32, Gavin White wrote:
In addition to recording system calls, file activity etc, I would
like
to record issued commands, ie. anything typed into a shell by a
user.
Is this a reasonable thing to do with auditd? Is it possible?
Well, there are 2 kinds of users, root and everyone else. What
everyone else
does cannot be logged by the session they are running in because it
does not
have enough privileges to log to the audit system.
For the root user, it has enough privileges to log. We are working on
a
solution for this problem. I think most security targets are only
interested
in actions performed by the root user since they can affect the
machine in
many ways.
So, as it stands today, it can't be done with the audit system. We
hope to
have something that starts to address the problem soon.
-Steve
------------------------------
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 31, Issue 12
*******************************************
3:10 p.m.
New subject: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12)
On Friday 27 April 2007 16:05, Taylor_Tad(a)emc.com wrote:
While a little more verbose than one might like, couldn't you
audit
exec() system calls?
Yes, you could certainly do that. But as you said, it would be more data than
you would want. If you had a policy of no root logins, you could define a
rule something like this:
-a always,entry -S execve -F 'auid>=500'
And that should cut it down to the commands run by real users and not daemons.
However, you might want to only audit successful exec()s.
I don't think execve returns in the normal sense when successful.
-Steve
3:28 p.m.
New subject: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12)
On Friday, April 27 2007 4:05:28 pm Taylor_Tad(a)emc.com wrote:
While a little more verbose than one might like, couldn't you
audit
exec() system calls? That would certainly capture all the commands
issued from a shell.
I believe that would miss all of the shell built-in commands though, wouldn't
it? Not sure if we would care, but you can do some interesting things with
the built-ins ... (although maybe you could capture that through additional
audit watches/syscalls/etc.)
--
paul moore
linux security @ hp
4:38 p.m.
New subject: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12)
On Fri, 27 Apr 2007 16:28:17 EDT, Paul Moore said:
I believe that would miss all of the shell built-in commands though,
wouldn't
it? Not sure if we would care, but you can do some interesting things with
the built-ins ... (although maybe you could capture that through additional
audit watches/syscalls/etc.)
# perl -e 'while (<>) {eval $_;}'
Doing proper auditing of what a user is doing is harder than it looks.
Have a nice day. :)
6448
days inactive
6448
days old
linux-audit@lists.linux-audit.osci.io
3 comments
4 participants
participants (4)
-
Paul Moore -
Steve Grubb -
Taylor_Tad@emc.com -
Valdis.Kletnieks@vt.edu