auditing activity where uid==0
Steve Grubb
sgrubb at redhat.com
Mon Oct 19 15:14:45 UTC 2009
On Monday 19 October 2009 11:02:33 am Rich Whitcroft wrote:
> Here's my current rule, which is working, but is producing a lot of
> extra log that I'd like to suppress:
>
> -a entry,always -S execve -F euid=0
I assume the intention is to log all programs executed when someone is running
as root?
> I'm wondering if there's a way to limit this to only audit events that
> happen from a real tty, e.g. a human user.
-a entry,always -S execve -F euid=0 -F auid>=500 -F auid!=4294967295
The loginuid is only set for real logins. But if they issue "service httpd
restart", then apache has their loginuid, too, and you will start getting
apache events.
> I'm getting lots of extraneous chatter from sshd, automount, and cron, all
> of which are from tty=(none), but I'm not sure it's possible to filter on
> tty...
The way that we suggest auditing the actions of a root user is by using the
tty audit capability. This is a little more specific about what is really
happening. For example, someone could start a python shell and start issuing
commands. If you audit by execve, then all you see is python start up and then
you see nothing else. Also, bash can do networking. Its possible to transfer
files using bash primitives that you won't pick up by auditing execve syscalls.
Awk is also network aware...
-Steve
More information about the Linux-audit
mailing list