Monitoring "root-level" commands
Warron S French
warron.s.french at aero.org
Wed May 18 12:18:21 UTC 2016
My Special Security Team, not being UNIX/Linux savvy asked me if I could put into place audit rules that monitor "Root-Level" commands.
I don't know of any specific identifier for such a term, and the closest thing I could come up with was monitoring those files that fall under /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to approach this task?
I figured I would use a rule such as:
-w /sbin/ -p rawx -k watch_root_commands (I used rawx, to account for replacement by a hacker)
Thank you in advance,
Warron French, MBA, SCSA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160518/3c151d4a/attachment.htm>
More information about the Linux-audit
mailing list