Help on Audit Rules

[Steve Grubb]

On Thursday, October 18, 2012 08:33:59 AM Peter Moody wrote:
> auditctl -a exit,always -S execve -F success=1
> 
> will audit log all successful execve(2) calls by all uids. It will
> incur a (possibly significant) performance hit though. Is there a
> particular binary/user about you're concerned?

Well, this is not the way we normally do it in the audit world. This would 
capture both system and user events. Normally you want to focus on user 
events. So, if you correct this rule then you are still faced with it won't 
catch sourced files. Or the user could event start python and type the commands 
in directly.

So, the way we normally do this is to use the key stroke logging. The main 
issue is that you won't get the meaning of up arrows and things like that. I 
think there are ways of restricting the history file and in memory history so 
that users cannot circumvent it.

-Steve


> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar at gmail.com> wrote:
> > So if i am correct, there is no way we can get the normal user activity
> > through auditd daemon ...
> > 
> > Or , please suggest the best way to capture the activity logs for normal
> > users ....
> > 
> > On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr at redhat.com> wrote:
> >> ----- Original Message -----
> >> 
> >> > So my question is why normal users audit event logs cant be captured
> >> > as a "type=USER_TTY" , where as root logs can be captured
> >> > similarway.
> >> 
> >> USER_TTY is sent by the process that accepts the keyboard input.
> >> Unprivileged users are not allowed to send audit records (otherwise they
> >> would be able to fill the queue and/or the log partition, causing a DoS),
> >> so the USER_TTY record is discarded.
> >> 
> >> Even for unprivileged users you should have the type=TTY records,
> >> although
> >> they are noticeably more difficult to interpret.
> >> 
> >>    Mirek
> > 
> > --
> > 
> > 
> > Thanks & Regards,
> > 
> > - Koresh