[CentOS] Linux User Auditing

Bazy bazy at goofy.celuloza.ro
Mon Sep 3 15:39:58 UTC 2007


Mag Gam wrote:
> Is it possible to audit the Linux User Shell? I am trying to gather what
> commands a user is running no our systems.
> Can auditd handle this?
> 
> TIA
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Hi Mag Gam,

I don't know if it can log what every user does... but it can watch a
lot of things :) Here is an example of watching what happens in /tmp,
the reads and writes (auditctl -w /tmp -p rw -k tmp-watch):

[root at goofy ~]# auditctl -l
No rules

[root at goofy ~]# auditctl -w /tmp -p rw -k tmp-watch

[root at goofy ~]# auditctl -l
LIST_RULES: exit,always watch=/tmp perm=rw key=tmp-watch

[root at goofy ~]# ausearch -k tmp-watch
----
time->Mon Sep  3 18:22:36 2007
type=PATH msg=audit(1188832956.932:43): item=0 name="." inode=14207425
dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1188832956.932:43):  cwd="/tmp"
type=SYSCALL msg=audit(1188832956.932:43): arch=40000003 syscall=5
success=yes exit=3 a0=95c1e40 a1=18800 a2=0 a3=95c29d8 items=1
ppid=31137 pid=31213 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls"
key="tmp-watch"
----
time->Mon Sep  3 18:25:02 2007
type=PATH msg=audit(1188833102.354:53): item=0 name="." inode=14207425
dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1188833102.354:53):  cwd="/tmp"
type=SYSCALL msg=audit(1188833102.354:53): arch=40000003 syscall=5
success=yes exit=3 a0=96e5010 a1=18800 a2=96e1458 a3=96e4ff8 items=1
ppid=31137 pid=31270 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls"
key="tmp-watch"
----
time->Mon Sep  3 18:25:11 2007
type=PATH msg=audit(1188833111.401:54): item=1 name="testme.hack"
inode=14207429 dev=08:01 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=PATH msg=audit(1188833111.401:54): item=0  name="/tmp"
inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1188833111.401:54):  cwd="/tmp"
type=SYSCALL msg=audit(1188833111.401:54): arch=40000003 syscall=5
success=yes exit=0 a0=bfebec4e a1=8941 a2=1b6 a3=8941 items=2 ppid=31137
pid=31271 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=pts1 comm="touch" exe="/bin/touch" key="tmp-watch"


What i did under uid 500 in the shell was:
cd /tmp
ls
touch testme.hack

Like this you can watch under /bin with "-p rx" for example, and see
what your users execute from /bin. You get the ideea :)

Your could add a watch on “/etc/shadow” with the arbitrary filterkey
“shadow-file” that generates records for “reads, writes, executes, and
appends” on “shadow”:

auditctl -w /etc/shadow -k shadow-file -p rwxa

Use man auditctl, and take a look at /etc/audit/audit.rules.

BE CAREFUL!!! edit /etc/sysconfig/auditd and change the
"AUDITD_CLEAN_STOP" to no, otherwise when you restart auditd all your
rules will be wiped!



More information about the CentOS mailing list