Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12)

Taylor_Tad at emc.com Taylor_Tad at emc.com
Fri Apr 27 20:05:28 UTC 2007 

  
  
  -----Original Message-----
While a little more verbose than one might like, couldn't you audit
exec() system calls?  That would certainly capture all the commands
issued from a shell.  However, you might want to only audit successful
exec()s.  As I recall from auditing *nix systems years ago, shells tend
to just start trying to execute a command name along your path and if it
fails, it tries again with the next path (for example, the command
doesn't exist in /usr/local/bin, let's try /usr/bin and then /usr/sbin,
etc.)  
  This would pick up other exec()s as well, but you should be able to
generate reports to find the ones that were issued by a shell.  Just a
thought.
  --Tad Taylor
  
  Message: 3
  Date: Thu, 26 Apr 2007 11:10:05 -0400
  From: Steve Grubb <sgrubb at redhat.com>
  Subject: Re: Recording user command ?
  To: linux-audit at redhat.com
  Message-ID: <200704261110.05440.sgrubb at redhat.com>
  Content-Type: text/plain;  charset="iso-8859-1"
  
  On Thursday 26 April 2007 10:32, Gavin White wrote:
  > In addition to recording system calls, file activity etc, I would
like
  > to record issued commands, ie. anything typed into a shell by a
user.
  >
  > Is this a reasonable thing to do with auditd? Is it possible?
  
  Well, there are 2 kinds of users, root and everyone else. What
everyone else 
  does cannot be logged by the session they are running in because it
does not 
  have enough privileges to log to the audit system.
  
  For the root user, it has enough privileges to log. We are working on
a 
  solution for this problem. I think most security targets are only
interested 
  in actions performed by the root user since they can affect the
machine in 
  many ways.
  
  So, as it stands today, it can't be done with the audit system. We
hope to 
  have something that starts to address the problem soon.
  
  -Steve
  
  
  
  ------------------------------
  
  --
  Linux-audit mailing list
  Linux-audit at redhat.com
  https://www.redhat.com/mailman/listinfo/linux-audit
  
  End of Linux-audit Digest, Vol 31, Issue 12
  *******************************************

More information about the Linux-audit mailing list