On Wednesday, November 18, 2015 03:54:58 PM ocakan wrote: > Hello Steve! > > Thank you for your feedback. Somehow I still do not fully understand how > the filtering with -F works. > > Regarding your questions: commands executed by root user, including > subshells, subcmds from script are fine for me.
OK. > I altered my audit.rules as you suggested to the following, no other rules: > auditctl -l: You can add a key to this if you like, -F key=root-commands > -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 > -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 > > I get entries from crond like the following in audit.log: Cron entries hit the user filter. If you were using selinux, you could write a rule like this: -a user,never -F subj_type=crond_t > type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting > acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron > res=success' > type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred > acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron > res=success' > type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open > acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron > res=success' > type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred > acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron > res=success' > type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close > acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron > res=success' > > What I do not get now are commands executed as root user from ptsX/ttyX. > > root@myhost ~# cat /etc/passwd # no audit entry > root@myhost ~# service rsyslog stop # no audit entry > root@myhost ~# less /var/log/audit/audit.log # no audit entry > root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE > entry Check to see what your loginuid is: # cat /proc/self/loginuid -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
