Logging from where user connected?
Skwar Alexander
alexander.skwar at everyware.ch
Wed Jun 22 06:21:27 UTC 2016
Hello Steve and all :)
Am 20.06.2016 um 17:32 schrieb Steve Grubb:
> On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
>> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
>> and v2.4.5), we'd like to log all the commands that root has run, or
>> that were run as root.
>>
>> For that, I added the following rules:
>>
>> # Log all commands run as (or by) root
>> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
>> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
>
> That will also get daemon child processes. Normally you would want to
separate
> routine system activity from user initiated activity.
Yeah, by now, I figured as much :) It's really logging quite a lot.
These two rules can be found on a lot of places, eg. here
http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers
and there
http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-root-privileges/
What would be a better configuration? I now have changed it to:
# Log all commands run AS root
-a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root
Thanks a lot for the pointer to aulast. That was very helpful.
Cheers,
Alexander
More information about the Linux-audit
mailing list