Logging from where user connected?
Steve Grubb
sgrubb at redhat.com
Mon Jun 20 15:32:57 UTC 2016
On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> and v2.4.5), we'd like to log all the commands that root has run, or
> that were run as root.
>
> For that, I added the following rules:
>
> # Log all commands run as (or by) root
> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
That will also get daemon child processes. Normally you would want to separate
routine system activity from user initiated activity.
> When I now do an "ausearch -k exec_root -i", I get:
>
> …
<snip>
> Now I'd like to know, from where that user connected. That user is
> on tty=pts1, so do I have to use last?
Nope. This was thought about long ago.
> local at app01-test ~ % last pts/1
> local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in
> …
>
>
>
> That's fine, as long as /var/log/wtmp* exists. But is there maybe a
> way to get that information right away, without having to consult a
> different logfile (eg. /var/log/wtmp)?
This has been long considered a user space post processing issue. When someone
logs in, a series of events occur. You can find the description here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events
Near the beginning you get USER_AUTH which is recorded by pam and it has the
IP address or terminal if it were a console.
There is a program, aulast, which tracks the sessions. It does show the origin
of the user session. Also, if you give it the --proof commandline option, it
will give you the ausearch command to examine the whole session.
> Additionally, if I'd like auditd to do remote logging (ie. send
> logs off of the system), I'd have to use audispd, wouldn't I?
Yes.
> How would I then get hold of the right wtmp file?
You don't need it.
-Steve
> I've got the feeling, that this might become quite complicated, if numerous
> servers would do remote logging to one central system...
>
> Would be quite thankful, if somebody could help :)
>
> Thanks a lot,
> Alexander
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list