On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote: > My aim is to audit only commands executed by root (interactively) and avc > denied messages (selinux)
I have some questions to help clarify. Command executed by root, or the root user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. (the audit system treats all uid as unsigned numbers therefore auid = -1 is a large unsigned number.) Also when you say commands, what do you mean? What root types on the console? What if that is a shell script that in turn executes many other programs and scripts? > Some details about my audit-test-system and current audit configuration. <snip> > ### auditctl -l: > -a never,exit -S all -F auid!=-1 This says you want to mark all user processes permanently unauditable. > -a never,exit -S all -F auid!=0 -F auid<500 I don't think this adds anything because the previous one includes this. > -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands > -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands Now you want execve run by anything that's not a user, meaning cron jobs and system services. > -a always,exclude -F msgtype=CWD And this says you don't care about reconstructing relative paths. > ### auditctl -s: > AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192 > lost=0 backlog=0 > > ### /etc/init.d/auditd status: > auditd (pid 4232) is running... > > ### grep -Hrn loginuid /etc/pam.d/: > /etc/pam.d/login:9:session required pam_loginuid.so > /etc/pam.d/sshd:9:session required pam_loginuid.so > /etc/pam.d/remote:9:session required pam_loginuid.so > /etc/pam.d/ssh-keycat:4:session required pam_loginuid.so > > ----- > > MY QUESTION: > With the above listed configuration I still get audit.log entries with > auid=-1 including cron and anacron entries. Based on your rules, you are getting exactly what you programmed it to do. > EXAMPLE AUDIT.LOG SNIPPET: > type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0 > auid=4294967295 ses=4294967295 <snip> > What am I missing or doing wrong? I also tried working with pam_tty_audit > and aureport --tty but that is too detailed as every keypress gets logged. Sudo will log every command run through it. Maybe that is closer? The execve approach will log everything, but it will also log all subscripts that are run as a result of what's entered on the command line. That would be: -a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0 No other rules. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit