audit.rules
Peter Moody
pmoody at google.com
Wed Feb 8 16:53:44 UTC 2012
I think there are a few ways you can do this with auditd:
(These both assume you've setup pam_loginuid)
If your admins are a finite set of uids, you could do something like
auditctl -a exit,always -F auid=<admin1> -F success=1
auditctl -a exit,always -F auid=<admin2> -F success=1
...
auditctl -a exit,always -F auid=<adminN> -F success=1
or if by administrators you mean actions run as root (eg, with sudo or
su), you can do something like
auditctl -a exit,always -F auid=!0 -F euid=0 -F success=1
You'll probably want to restrict which syscalls you care about, eg
open/execve/chmod/unlink whatever. Those rules as they're written will
log a lot more than you likely want.
On Wed, Feb 8, 2012 at 6:30 AM, Jender, Raymond [USA]
<jender_raymond at bah.com> wrote:
> How would you set up audit.rules to log any action by administrators?
>
>
>
> Thanks,
>
>
>
> Ray
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
More information about the Linux-audit
mailing list