Bazy: Thanks. I hope in the future version of auditd, it will be much easier to monitor user's activities. On 9/3/07, Bazy <bazy at goofy.celuloza.ro> wrote: > > Mag Gam wrote: > > Is it possible to audit the Linux User Shell? I am trying to gather what > > commands a user is running no our systems. > > Can auditd handle this? > > > > TIA > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > Hi Mag Gam, > > I don't know if it can log what every user does... but it can watch a > lot of things :) Here is an example of watching what happens in /tmp, > the reads and writes (auditctl -w /tmp -p rw -k tmp-watch): > > [root at goofy ~]# auditctl -l > No rules > > [root at goofy ~]# auditctl -w /tmp -p rw -k tmp-watch > > [root at goofy ~]# auditctl -l > LIST_RULES: exit,always watch=/tmp perm=rw key=tmp-watch > > [root at goofy ~]# ausearch -k tmp-watch > ---- > time->Mon Sep 3 18:22:36 2007 > type=PATH msg=audit(1188832956.932:43): item=0 name="." inode=14207425 > dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 > type=CWD msg=audit(1188832956.932:43): cwd="/tmp" > type=SYSCALL msg=audit(1188832956.932:43): arch=40000003 syscall=5 > success=yes exit=3 a0=95c1e40 a1=18800 a2=0 a3=95c29d8 items=1 > ppid=31137 pid=31213 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls" > key="tmp-watch" > ---- > time->Mon Sep 3 18:25:02 2007 > type=PATH msg=audit(1188833102.354:53): item=0 name="." inode=14207425 > dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 > type=CWD msg=audit(1188833102.354:53): cwd="/tmp" > type=SYSCALL msg=audit(1188833102.354:53): arch=40000003 syscall=5 > success=yes exit=3 a0=96e5010 a1=18800 a2=96e1458 a3=96e4ff8 items=1 > ppid=31137 pid=31270 auid=500 uid=500 gid=500 euid=500 suid=500 > fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls" exe="/bin/ls" > key="tmp-watch" > ---- > time->Mon Sep 3 18:25:11 2007 > type=PATH msg=audit(1188833111.401:54): item=1 name="testme.hack" > inode=14207429 dev=08:01 mode=0100664 ouid=500 ogid=500 rdev=00:00 > type=PATH msg=audit(1188833111.401:54): item=0 name="/tmp" > inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 > type=CWD msg=audit(1188833111.401:54): cwd="/tmp" > type=SYSCALL msg=audit(1188833111.401:54): arch=40000003 syscall=5 > success=yes exit=0 a0=bfebec4e a1=8941 a2=1b6 a3=8941 items=2 ppid=31137 > pid=31271 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=pts1 comm="touch" exe="/bin/touch" key="tmp-watch" > > > What i did under uid 500 in the shell was: > cd /tmp > ls > touch testme.hack > > Like this you can watch under /bin with "-p rx" for example, and see > what your users execute from /bin. You get the ideea :) > > Your could add a watch on "/etc/shadow" with the arbitrary filterkey > "shadow-file" that generates records for "reads, writes, executes, and > appends" on "shadow": > > auditctl -w /etc/shadow -k shadow-file -p rwxa > > Use man auditctl, and take a look at /etc/audit/audit.rules. > > BE CAREFUL!!! edit /etc/sysconfig/auditd and change the > "AUDITD_CLEAN_STOP" to no, otherwise when you restart auditd all your > rules will be wiped! > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070903/f925ad9a/attachment-0005.html>