Hello Steve! Thank you for your feedback. Somehow I still do not fully understand how the filtering with -F works.
Regarding your questions: commands executed by root user, including subshells, subcmds from script are fine for me. I altered my audit.rules as you suggested to the following, no other rules: auditctl -l: -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 I get entries from crond like the following in audit.log: type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' What I do not get now are commands executed as root user from ptsX/ttyX. root@myhost ~# cat /etc/passwd # no audit entry root@myhost ~# service rsyslog stop # no audit entry root@myhost ~# less /var/log/audit/audit.log # no audit entry root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE entry Cheers, Orhan 2015-11-17 20:55 GMT+01:00 Steve Grubb <sgr...@redhat.com>: > On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote: > > My aim is to audit only commands executed by root (interactively) and avc > > denied messages (selinux) > > I have some questions to help clarify. Command executed by root, or the > root > user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. > (the > audit system treats all uid as unsigned numbers therefore auid = -1 is a > large > unsigned number.) > > Also when you say commands, what do you mean? What root types on the > console? > What if that is a shell script that in turn executes many other programs > and > scripts? > > > > Some details about my audit-test-system and current audit configuration. > > <snip> > > > ### auditctl -l: > > -a never,exit -S all -F auid!=-1 > > This says you want to mark all user processes permanently unauditable. > > > -a never,exit -S all -F auid!=0 -F auid<500 > > I don't think this adds anything because the previous one includes this. > > > -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands > > -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands > > Now you want execve run by anything that's not a user, meaning cron jobs > and > system services. > > > -a always,exclude -F msgtype=CWD > > And this says you don't care about reconstructing relative paths. > > > > ### auditctl -s: > > AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192 > > lost=0 backlog=0 > > > > ### /etc/init.d/auditd status: > > auditd (pid 4232) is running... > > > > ### grep -Hrn loginuid /etc/pam.d/: > > /etc/pam.d/login:9:session required pam_loginuid.so > > /etc/pam.d/sshd:9:session required pam_loginuid.so > > /etc/pam.d/remote:9:session required pam_loginuid.so > > /etc/pam.d/ssh-keycat:4:session required pam_loginuid.so > > > > ----- > > > > MY QUESTION: > > With the above listed configuration I still get audit.log entries with > > auid=-1 including cron and anacron entries. > > Based on your rules, you are getting exactly what you programmed it to do. > > > > EXAMPLE AUDIT.LOG SNIPPET: > > type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0 > > auid=4294967295 ses=4294967295 > > <snip> > > > What am I missing or doing wrong? I also tried working with pam_tty_audit > > and aureport --tty but that is too detailed as every keypress gets > logged. > > Sudo will log every command run through it. Maybe that is closer? The > execve > approach will log everything, but it will also log all subscripts that are > run > as a result of what's entered on the command line. That would be: > > -a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 > -a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0 > > No other rules. > > -Steve >
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit