Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12)
Taylor_Tad at emc.com
Taylor_Tad at emc.com
Fri Apr 27 20:05:28 UTC 2007
-----Original Message-----
While a little more verbose than one might like, couldn't you audit
exec() system calls? That would certainly capture all the commands
issued from a shell. However, you might want to only audit successful
exec()s. As I recall from auditing *nix systems years ago, shells tend
to just start trying to execute a command name along your path and if it
fails, it tries again with the next path (for example, the command
doesn't exist in /usr/local/bin, let's try /usr/bin and then /usr/sbin,
etc.)
This would pick up other exec()s as well, but you should be able to
generate reports to find the ones that were issued by a shell. Just a
thought.
--Tad Taylor
Message: 3
Date: Thu, 26 Apr 2007 11:10:05 -0400
From: Steve Grubb <sgrubb at redhat.com>
Subject: Re: Recording user command ?
To: linux-audit at redhat.com
Message-ID: <200704261110.05440.sgrubb at redhat.com>
Content-Type: text/plain; charset="iso-8859-1"
On Thursday 26 April 2007 10:32, Gavin White wrote:
> In addition to recording system calls, file activity etc, I would
like
> to record issued commands, ie. anything typed into a shell by a
user.
>
> Is this a reasonable thing to do with auditd? Is it possible?
Well, there are 2 kinds of users, root and everyone else. What
everyone else
does cannot be logged by the session they are running in because it
does not
have enough privileges to log to the audit system.
For the root user, it has enough privileges to log. We are working on
a
solution for this problem. I think most security targets are only
interested
in actions performed by the root user since they can affect the
machine in
many ways.
So, as it stands today, it can't be done with the audit system. We
hope to
have something that starts to address the problem soon.
-Steve
------------------------------
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 31, Issue 12
*******************************************
More information about the Linux-audit
mailing list