Mag Gam wrote:> Is it possible to audit the Linux User Shell? I am trying to gather what
> commands a user is running no our systems.
> Can auditd handle this?
>
> TIA
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Hi Mag Gam,
I don't know if it can log what every user does... but it can watch a
lot of things :) Here is an example of watching what happens in /tmp,
the reads and writes (auditctl -w /tmp -p rw -k tmp-watch):
[root at goofy ~]# auditctl -l
No rules
[root at goofy ~]# auditctl -w /tmp -p rw -k tmp-watch
[root at goofy ~]# auditctl -l
LIST_RULES: exit,always watch=/tmp perm=rw key=tmp-watch
[root at goofy ~]# ausearch -k tmp-watch
----
time->Mon Sep 3 18:22:36 2007
type=PATH msg=audit(1188832956.932:43): item=0 name="." inode=14207425
dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1188832956.932:43): cwd="/tmp"
type=SYSCALL msg=audit(1188832956.932:43): arch=40000003 syscall=5
success=yes exit=3 a0=95c1e40 a1=18800 a2=0 a3=95c29d8 items=1
ppid=31137 pid=31213 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls"
exe="/bin/ls"
key="tmp-watch"
----
time->Mon Sep 3 18:25:02 2007
type=PATH msg=audit(1188833102.354:53): item=0 name="." inode=14207425
dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1188833102.354:53): cwd="/tmp"
type=SYSCALL msg=audit(1188833102.354:53): arch=40000003 syscall=5
success=yes exit=3 a0=96e5010 a1=18800 a2=96e1458 a3=96e4ff8 items=1
ppid=31137 pid=31270 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="ls"
exe="/bin/ls"
key="tmp-watch"
----
time->Mon Sep 3 18:25:11 2007
type=PATH msg=audit(1188833111.401:54): item=1 name="testme.hack"
inode=14207429 dev=08:01 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=PATH msg=audit(1188833111.401:54): item=0 name="/tmp"
inode=14207425 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1188833111.401:54): cwd="/tmp"
type=SYSCALL msg=audit(1188833111.401:54): arch=40000003 syscall=5
success=yes exit=0 a0=bfebec4e a1=8941 a2=1b6 a3=8941 items=2 ppid=31137
pid=31271 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=pts1 comm="touch" exe="/bin/touch"
key="tmp-watch"
What i did under uid 500 in the shell was:
cd /tmp
ls
touch testme.hack
Like this you can watch under /bin with "-p rx" for example, and see
what your users execute from /bin. You get the ideea :)
Your could add a watch on ?/etc/shadow? with the arbitrary filterkey
?shadow-file? that generates records for ?reads, writes, executes, and
appends? on ?shadow?:
auditctl -w /etc/shadow -k shadow-file -p rwxa
Use man auditctl, and take a look at /etc/audit/audit.rules.
BE CAREFUL!!! edit /etc/sysconfig/auditd and change the
"AUDITD_CLEAN_STOP" to no, otherwise when you restart auditd all your
rules will be wiped!