user auditing

tonijel · June 17, 2010, 5:37am

Hello,
is there some way to track what shell commands some user is executing ?
Something like to have some log file where i could see what commands some user used, e.g. rm -r dirname , ls -l .... and so on ...
I have 2.6.13-1.1526_FC4smp

Yogesh_Sawant · June 17, 2010, 6:26am

reading this might be helpful

3junior · June 17, 2010, 7:26am

command history

dazdseg · June 17, 2010, 7:45am

history -100 (if u want more commands..) just increase the no....

this is the easiest way if u guys are based on same server....

tonijel · June 17, 2010, 10:01am

I already tried history but withoud help...
the thing is that i would like to see what commands is winscp using...
And when i go to history of the user with whom i am doing that commands through the winscp, i don't see that commands...
:o

fpmurphy · June 17, 2010, 10:30am

If you are on Solaris, you can turn on BSM (Basic Security Mode) and log all commands executed on the system, including full command line, arguments and environment, using the "-setpolicy +argv, arge" directive. Man audit_control for more information.

ygemici · June 17, 2010, 10:55am

Auditing issue is very detailed state..I according to me you must decide exaclty what objects will be in your audit records and you must run audit this form..
You can look in this page howto this

http://docs.sun.com/app/docs/doc/816-4557/audittask-44?l=en&a=view&q=audit+files

And so you can configure some flags like below in your audit conf (audit_control )

 
no = no_class 
fr = file_read
fw = file_write
fa = file_attr_acc
fm = file_attr_mod
fc = file_creation
fd = file_deletion
dl = file_close
pc = process
nt = network
ip = ipc
na = non_attrib
ad = administrative
lo = login_logout
ap = application
io = ioctl
ex = exec
to = other
all = all

Regards
ygemici

tonijel · June 21, 2010, 7:38am

Hi guys,
i am not on solaris, i am on red hat ..
How can i do such detailed audit on red hat ?
Such auditing that would enable me to see what commands did userA executed
when i was logged with userA in winscp..
:o

fpmurphy · June 21, 2010, 9:27am

Unfortunately there is no equivalent tool on Red Hat or any version of GNU/Linux that I am aware of.

ygemici · June 22, 2010, 2:01am

if i do summarize issue

1-) determine the settings

let know default settings is in

# cat /etc/auditd.conf

and you can change or specialize this to man auditd.conf
you can leave any change too if you wish

2-) write rules

you must set up watch rules by auditctl (man auditctl for details)
watch myfolder for read write execution for id user with 500 --> UserA

# auditctl -w /myfolder/ -p rwx -F auid=500

and we save this rules in audit.rules for permanent

 
# vi /etc/audit.rules
.....
.....
-w /myfolder/ -p rwxa -F auid=500

-w --> watch path
-p --> permission (rwxa , read write , executive , attribute change )
-F auid --> watch this user
...
...

3-) start service

# service auditd start

4-) check results
and for log analysis i can advice below app

seaudit
Using seaudit for Audit Log Analysis
or
auditviewer
https://fedorahosted.org/audit-viewer/wiki/AuditViewerDownloads

Regards
ygemici