On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote: > On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2 > and v2.4.5), we'd like to log all the commands that root has run, or > that were run as root. > > For that, I added the following rules: > > # Log all commands run as (or by) root > -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root > -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
That will also get daemon child processes. Normally you would want to separate routine system activity from user initiated activity. > When I now do an "ausearch -k exec_root -i", I get: > > … <snip> > Now I'd like to know, from where that user connected. That user is > on tty=pts1, so do I have to use last? Nope. This was thought about long ago. > local@app01-test ~ % last pts/1 > local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in > … > > > > That's fine, as long as /var/log/wtmp* exists. But is there maybe a > way to get that information right away, without having to consult a > different logfile (eg. /var/log/wtmp)? This has been long considered a user space post processing issue. When someone logs in, a series of events occur. You can find the description here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events Near the beginning you get USER_AUTH which is recorded by pam and it has the IP address or terminal if it were a console. There is a program, aulast, which tracks the sessions. It does show the origin of the user session. Also, if you give it the --proof commandline option, it will give you the ausearch command to examine the whole session. > Additionally, if I'd like auditd to do remote logging (ie. send > logs off of the system), I'd have to use audispd, wouldn't I? Yes. > How would I then get hold of the right wtmp file? You don't need it. -Steve > I've got the feeling, that this might become quite complicated, if numerous > servers would do remote logging to one central system... > > Would be quite thankful, if somebody could help :) > > Thanks a lot, > Alexander > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
