Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
while a proper auditing subsytem will be able to capture substanially more than that.
I'm not disputing Audit is a good tool (after all I've written many threads since say 2003 about LIDS, TOMOYO, GRSecurity, SELinux, syscall vs userland logging, logging requirements wrt privacy aspects, security or PCI-DSS, etc, etc) but while it may be easy to write "proper auditing subsytem", as far as I'm aware, Auditd logs only what you configure it to log. Please remember that by default none of the CAPP, NISPOM, STIG or LSPP rulesets in the audit package are loaded (for good reasons), so these are the effective /etc/audit/audit.rules contents you start out with when installing audit (grep -v ^# /etc/audit/audit.rules):
Code:
-D
-b 320
So what would an administrator have to do to turn Audit into a proper auditing subsystem? And will it then also only log events issued by users after a 'sudo su -'?
Quote:
Originally Posted by Josh000
Such as how many resources were used, what resources were used, which files were accessed, which network addresss were connected to...etc
By default Auditd does not log which network addresses were connected to as far as I know.
Quote:
Originally Posted by Josh000
No no, rootsh will only log commands,
If you've ran it you would know rootsh logs commands and CLI output. Sure I should have said that the Audit subsystem and userland tools like Rootsh complement each other.
I'm not disputing Audit is a good tool (after all I've written many threads since say 2003 about LIDS, TOMOYO, GRSecurity, SELinux, syscall vs userland logging, logging requirements wrt privacy aspects, security or PCI-DSS, etc, etc) but while it may be easy to write "proper auditing subsytem", as far as I'm aware, Auditd logs only what you configure it to log. Please remember that by default none of the CAPP, NISPOM, STIG or LSPP rulesets in the audit package are loaded (for good reasons), so these are the effective /etc/audit/audit.rules contents you start out with when installing audit (grep -v ^# /etc/audit/audit.rules):
Hi, it doesn't matter what the default settings are one bit, we are talking about the capabilities of an auditing system compared to rootsh.
The fact is, you can configure an auditing system to log pretty much anything, while rootsh is severely restricted by comparison.
That is why I disagreed when you suggested rootsh as the right tool for the job, and implied auditd was not.
The goal is to monitor/trace any root access that is able to connect to a machine only for troubleshooting/maintenance. So we don't know in advance which orders will be issued.
Because we want to know which folk connects to the system, I choose to use sudo su - to keep a trace of the real user.
Hope it's clear. This is I think a typical security concern for root.
If you use 'ausearch' then you'll find all sessions start with a LOGIN line and then a new session Id. So when you use 'ausearch --ses $sessionNumber' you get an account of (amongst other things) commands issued. Note that, as is typical for syscall-based logging, command args are obscured and you'll ever get those, nor any command output, from the Auditd subsystem alone.
pam_loginuid should be a RHEL/Centos PAM stack default module and as for pam_tty_audit, are you sure? While limiting audit.rules may seem like a Good Thing to do it would be better to filter at the reporting stage. For instance "terminal" in 'ausearch' is a filter ("-tm").
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.