[CentOS] Linux User Auditing

Mag Gam magawake at gmail.com
Mon Sep 3 17:18:18 UTC 2007


Bazy:

Thanks. I hope in the future version of auditd, it will be much easier to
monitor user's activities.


On 9/3/07, Bazy <bazy at goofy.celuloza.ro> wrote:
>
> Mag Gam wrote:
> > Is it possible to audit the Linux User Shell? I am trying to gather what
> > commands a user is running no our systems.
> > Can auditd handle this?
> >
> > TIA
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
>
> Hi Mag Gam,
>
> I don't know if it can log what every user does... but it can watch a
> lot of things :) Here is an example of watching what happens in /tmp,
> the reads and writes (auditctl -w /tmp -p rw -k tmp-watch):
>
> [root at goofy ~]# auditctl -l
> No rules
>
> [root at goofy ~]# auditctl -w /tmp -p rw -k tmp-watch
>
> [root at goofy ~]# auditctl -l
> LIST_RULES: exit,always watch=/tmp perm=rw key=tmp-watch
>
> [root at goofy ~]# ausearch -k tmp-watch
> ----
> time->Mon Sep  3 18:22:36 2007
> type=PATH msg=audit(1188832956.932:43): item=0 name="." inode=14207425
> dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
> type=CWD msg=audit(1188832956.932:43):  cwd="/tmp"
> type=SYSCALL msg=audit(1188832956.932:43): arch=40000003 syscall=5
> success=yes exit=3 a0=95c1e40 a1=18800 a2=0 a3=95c29d8 items=1
> ppid=31137 pid=31213 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls"
> key="tmp-watch"
> ----
> time->Mon Sep  3 18:25:02 2007
> type=PATH msg=audit(1188833102.354:53): item=0 name="." inode=14207425
> dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
> type=CWD msg=audit(1188833102.354:53):  cwd="/tmp"
> type=SYSCALL msg=audit(1188833102.354:53): arch=40000003 syscall=5
> success=yes exit=3 a0=96e5010 a1=18800 a2=96e1458 a3=96e4ff8 items=1
> ppid=31137 pid=31270 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls"
> key="tmp-watch"
> ----
> time->Mon Sep  3 18:25:11 2007
> type=PATH msg=audit(1188833111.401:54): item=1 name="testme.hack"
> inode=14207429 dev=08:01 mode=0100664 ouid=500 ogid=500 rdev=00:00
> type=PATH msg=audit(1188833111.401:54): item=0  name="/tmp"
> inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
> type=CWD msg=audit(1188833111.401:54):  cwd="/tmp"
> type=SYSCALL msg=audit(1188833111.401:54): arch=40000003 syscall=5
> success=yes exit=0 a0=bfebec4e a1=8941 a2=1b6 a3=8941 items=2 ppid=31137
> pid=31271 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 tty=pts1 comm="touch" exe="/bin/touch" key="tmp-watch"
>
>
> What i did under uid 500 in the shell was:
> cd /tmp
> ls
> touch testme.hack
>
> Like this you can watch under /bin with "-p rx" for example, and see
> what your users execute from /bin. You get the ideea :)
>
> Your could add a watch on "/etc/shadow" with the arbitrary filterkey
> "shadow-file" that generates records for "reads, writes, executes, and
> appends" on "shadow":
>
> auditctl -w /etc/shadow -k shadow-file -p rwxa
>
> Use man auditctl, and take a look at /etc/audit/audit.rules.
>
> BE CAREFUL!!! edit /etc/sysconfig/auditd and change the
> "AUDITD_CLEAN_STOP" to no, otherwise when you restart auditd all your
> rules will be wiped!
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/f925ad9a/attachment.html>


More information about the CentOS mailing list