Hello
On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
and v2.4.5), we'd like to log all the commands that root has run, or
that were run as root.
For that, I added the following rules:
# Log all commands run as (or by) root
-a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
-a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
When I now do an "ausearch -k exec_root -i", I get:
…
----
type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755
ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=0
name=/usr/bin/sudo inode=396945 dev=fc:01 mode=file,suid,755 ouid=root
ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(20.06.2016 15:28:06.976:65023) : cwd=/home/local
type=EXECVE msg=audit(20.06.2016 15:28:06.976:65023) : argc=5 a0=sudo
a1=ausearch a2=-k a3=exec_root a4=-i
type=BPRM_FCAPS msg=audit(20.06.2016 15:28:06.976:65023) : fver=0
fp=none fi=none fe=none old_pp=none old_pi=none old_pe=none
new_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend
new_pi=none
new_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend
type=SYSCALL msg=audit(20.06.2016 15:28:06.976:65023) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x7fff4981a280 a1=0x7f7482187bd8
a2=0x1bfcf40 a3=0x7fff49819e80 items=2 ppid=11261 pid=14093 auid=local
uid=local gid=local euid=root suid=root fsuid=root egid=local sgid=local
fsgid=local tty=pts1 ses=15 comm=sudo exe=/usr/bin/sudo key=exec_root
----
type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755
ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=0
name=/sbin/ausearch inode=618 dev=fc:01 mode=file,755 ouid=root
ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(20.06.2016 15:28:06.980:65025) : cwd=/home/local
type=EXECVE msg=audit(20.06.2016 15:28:06.980:65025) : argc=4
a0=ausearch a1=-k a2=exec_root a3=-i
type=SYSCALL msg=audit(20.06.2016 15:28:06.980:65025) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x7fc01c0e0618 a1=0x7fc01c0e0638
a2=0x7fc01c0e5cd0 a3=0x7fff84d454c0 items=2 ppid=14093 pid=14094
auid=local uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts1 ses=15 comm=ausearch exe=/sbin/ausearch
key=exec_root
Now I'd like to know, from where that user connected. That user is
on tty=pts1, so do I have to use last?
local@app01-test ~ % last pts/1
local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in
…
That's fine, as long as /var/log/wtmp* exists. But is there maybe a
way to get that information right away, without having to consult a
different logfile (eg. /var/log/wtmp)?
Additionally, if I'd like auditd to do remote logging (ie. send
logs off of the system), I'd have to use audispd, wouldn't I? How
would I then get hold of the right wtmp file? I've got the feeling,
that this might become quite complicated, if numerous servers would
do remote logging to one central system...
Would be quite thankful, if somebody could help :)
Thanks a lot,
Alexander
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
