Monitoring "root-level" commands
Steve Grubb
sgrubb at redhat.com
Wed May 18 12:42:46 UTC 2016
On Wednesday, May 18, 2016 12:18:21 PM Warron S French wrote:
> My Special Security Team, not being UNIX/Linux savvy asked me if I could put
> into place audit rules that monitor "Root-Level" commands.
>
> I don't know of any specific identifier for such a term, and the closest
> thing I could come up with was monitoring those files that fall under
> /usr/sbin/ and /sbin/; does anyone else have any thoughts about how to
> approach this task?
Typically this is handled by monitoring what root runs. One huge difference
between windows and linux is that running one command may spawn 20 or 30
scripts and helpers. So, its easier to use the keystroke logging to what the
root user is doing.
To enable this, you would add:
session required pam_tty_audit.so disable=* enable=root
to the pam stack for su if that's how admins get the shell. If sudo gives them
shell access, then you can add it there, too. Sudo normally logs the commands
and parameters that it runs. If you are given a shell, though, all it logs is
it started a shell.
-Steve
> I figured I would use a rule such as:
> -w /sbin/ -p rawx -k watch_root_commands (I used rawx, to
> account for replacement by a hacker)
More information about the Linux-audit
mailing list