On Mon, Jan 11, 2010 at 12:51 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 01/11/2010 10:42 AM, Damian Montaldo wrote:
Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me. So, thanks in advantage.
For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!) I was reading over the internet and Fedora related posts and I found [1] that the better way to log users commands, is to add a filter for the execve system call.
I'm trying to add a rule like this in the /etc/audit/audit.rules (avoiding the root commands and crons etc) -a always,entry -S execve -F auid>=500
But it doesn't work for me :(
I think that I have two "things" or problems.
First it doesn't work the ">=" auid filter (and sometimes I have the auid "unset" so anyway it's not working) I fixed this adding several rules like: -a always,entry -S execve -F auid=1000 -a always,entry -S execve -F auid=1001 -a always,entry -S execve -F auid=1002 -a always,entry -S execve -F auid=1003 .. and so on
And second, I have a lot of additional context information and I don't want It. If I can have a simple list like: user command arguments and (less important) path it's great. I do some research and again I found [2] this paragraph:
type=SYSCALL ... type=CWD ... type=PATH...
The above event, a simple less /var/log/audit/audit.log, wrote three messages to the log. All of them are closely linked together and you would not be able to make sense of one of them without the others. The first message reveals the following information:
Confirming that I can't reduce de amount of additional information.
Thanks again and excuse me for my English ;) Damian.
[0] That's way I can't use sa
[1] For example: http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html
[2] It is a complete document about audit made by novell: www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I think you want the linux-audit@redhat.com list for this question.
Yes thanks, but I try to subscribe to that list 3 times starting from the last friday...
Subscribing to Linux-audit Subscribe to Linux-audit by filling out the following form. This is a closed list, which means your subscription will be held for approval. You will be notified of the list moderator's decision by email. This is also a hidden list, which means that the list of members is available only to the list administrator.
I don't know why a list needs to be "closed and moderated" :(
Thanks again.