Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this?
TIA
Mag Gam wrote:
Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this?
TIA
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Mag Gam,
I don't know if it can log what every user does... but it can watch a lot of things :) Here is an example of watching what happens in /tmp, the reads and writes (auditctl -w /tmp -p rw -k tmp-watch):
[root@goofy ~]# auditctl -l No rules
[root@goofy ~]# auditctl -w /tmp -p rw -k tmp-watch
[root@goofy ~]# auditctl -l LIST_RULES: exit,always watch=/tmp perm=rw key=tmp-watch
[root@goofy ~]# ausearch -k tmp-watch ---- time->Mon Sep 3 18:22:36 2007 type=PATH msg=audit(1188832956.932:43): item=0 name="." inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1188832956.932:43): cwd="/tmp" type=SYSCALL msg=audit(1188832956.932:43): arch=40000003 syscall=5 success=yes exit=3 a0=95c1e40 a1=18800 a2=0 a3=95c29d8 items=1 ppid=31137 pid=31213 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls" key="tmp-watch" ---- time->Mon Sep 3 18:25:02 2007 type=PATH msg=audit(1188833102.354:53): item=0 name="." inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1188833102.354:53): cwd="/tmp" type=SYSCALL msg=audit(1188833102.354:53): arch=40000003 syscall=5 success=yes exit=3 a0=96e5010 a1=18800 a2=96e1458 a3=96e4ff8 items=1 ppid=31137 pid=31270 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls" key="tmp-watch" ---- time->Mon Sep 3 18:25:11 2007 type=PATH msg=audit(1188833111.401:54): item=1 name="testme.hack" inode=14207429 dev=08:01 mode=0100664 ouid=500 ogid=500 rdev=00:00 type=PATH msg=audit(1188833111.401:54): item=0 name="/tmp" inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1188833111.401:54): cwd="/tmp" type=SYSCALL msg=audit(1188833111.401:54): arch=40000003 syscall=5 success=yes exit=0 a0=bfebec4e a1=8941 a2=1b6 a3=8941 items=2 ppid=31137 pid=31271 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="touch" exe="/bin/touch" key="tmp-watch"
What i did under uid 500 in the shell was: cd /tmp ls touch testme.hack
Like this you can watch under /bin with "-p rx" for example, and see what your users execute from /bin. You get the ideea :)
Your could add a watch on “/etc/shadow” with the arbitrary filterkey “shadow-file” that generates records for “reads, writes, executes, and appends” on “shadow”:
auditctl -w /etc/shadow -k shadow-file -p rwxa
Use man auditctl, and take a look at /etc/audit/audit.rules.
BE CAREFUL!!! edit /etc/sysconfig/auditd and change the "AUDITD_CLEAN_STOP" to no, otherwise when you restart auditd all your rules will be wiped!
Bazy:
Thanks. I hope in the future version of auditd, it will be much easier to monitor user's activities.
On 9/3/07, Bazy bazy@goofy.celuloza.ro wrote:
Mag Gam wrote:
Is it possible to audit the Linux User Shell? I am trying to gather what commands a user is running no our systems. Can auditd handle this?
TIA
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Mag Gam,
I don't know if it can log what every user does... but it can watch a lot of things :) Here is an example of watching what happens in /tmp, the reads and writes (auditctl -w /tmp -p rw -k tmp-watch):
[root@goofy ~]# auditctl -l No rules
[root@goofy ~]# auditctl -w /tmp -p rw -k tmp-watch
[root@goofy ~]# auditctl -l LIST_RULES: exit,always watch=/tmp perm=rw key=tmp-watch
[root@goofy ~]# ausearch -k tmp-watch
time->Mon Sep 3 18:22:36 2007 type=PATH msg=audit(1188832956.932:43): item=0 name="." inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1188832956.932:43): cwd="/tmp" type=SYSCALL msg=audit(1188832956.932:43): arch=40000003 syscall=5 success=yes exit=3 a0=95c1e40 a1=18800 a2=0 a3=95c29d8 items=1 ppid=31137 pid=31213 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls" key="tmp-watch"
time->Mon Sep 3 18:25:02 2007 type=PATH msg=audit(1188833102.354:53): item=0 name="." inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1188833102.354:53): cwd="/tmp" type=SYSCALL msg=audit(1188833102.354:53): arch=40000003 syscall=5 success=yes exit=3 a0=96e5010 a1=18800 a2=96e1458 a3=96e4ff8 items=1 ppid=31137 pid=31270 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls" key="tmp-watch"
time->Mon Sep 3 18:25:11 2007 type=PATH msg=audit(1188833111.401:54): item=1 name="testme.hack" inode=14207429 dev=08:01 mode=0100664 ouid=500 ogid=500 rdev=00:00 type=PATH msg=audit(1188833111.401:54): item=0 name="/tmp" inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1188833111.401:54): cwd="/tmp" type=SYSCALL msg=audit(1188833111.401:54): arch=40000003 syscall=5 success=yes exit=0 a0=bfebec4e a1=8941 a2=1b6 a3=8941 items=2 ppid=31137 pid=31271 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="touch" exe="/bin/touch" key="tmp-watch"
What i did under uid 500 in the shell was: cd /tmp ls touch testme.hack
Like this you can watch under /bin with "-p rx" for example, and see what your users execute from /bin. You get the ideea :)
Your could add a watch on "/etc/shadow" with the arbitrary filterkey "shadow-file" that generates records for "reads, writes, executes, and appends" on "shadow":
auditctl -w /etc/shadow -k shadow-file -p rwxa
Use man auditctl, and take a look at /etc/audit/audit.rules.
BE CAREFUL!!! edit /etc/sysconfig/auditd and change the "AUDITD_CLEAN_STOP" to no, otherwise when you restart auditd all your rules will be wiped! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 9/3/07, Mag Gam magawake@gmail.com wrote:
Bazy:
Thanks. I hope in the future version of auditd, it will be much easier to monitor user's activities.
You can also run psacct which will also do other auditing commands.
yum install psacct chkconfig --level 2345 psacct on lastcomm
which will tell user commands BUT will not tell arguments and such. aureport and its associated commands will tell you more but you need to also load up a ruleset like CAPP or LSPP to get more info.
-
Bazy -
Mag Gam -
Stephen John Smoogen