• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

The Geek Diary

HowTos | Basics | Concepts

  • Solaris
    • Solaris 11
    • SVM
    • ZFS
    • Zones
    • LDOMs
    • Hardware
  • Linux
    • CentOS/RHEL 7
    • RHCSA notes
    • SuSE Linux Enterprise
    • Linux Services
  • VCS
    • VxVM
  • Interview Questions
  • oracle
    • ASM
    • mysql
    • RAC
    • oracle 12c
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Hadoop
    • Hortonworks HDP
      • HDPCA
    • Cloudera
      • CCA 131

How to audit all Commands run on a Linux system using auditd

By admin

The audit package ties into the Linux kernel audit subsystem. The audit system audits system calls and other kernel level events, not user-space events, so we need to audit the execve() system call which is what starts executing new programs. For the example in this post, we have taken the CentOS/RHEL system, but the steps remain more or less the same for other *NIX distributions as well.

For CentOS/RHEL 7

Apply audit rules into the system

1. To keep the rules persistent after reboot or service restart, add the following rules to file /etc/audit/rules.d/audit.rules:

# vi /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b32 -S execve -k auditcmd
-a exit,always -F arch=b64 -S execve -k auditcmd

2. Run “augenrules” command to recreate /etc/audit/audit.rules from all configuration files in /etc/audit/rules.d/audit.rules and restart auditd.

3. If you only want to apply the rules temporarily, run following commands as root:

# auditctl -a exit,always -F arch=b32 -S execve -k auditcmd
# auditctl -a exit,always -F arch=b64 -S execve -k auditcmd

Verify Current rules

To verify the current rules, run:

# auditctl -l

Verify audit logs

To verify audit logs for a specific keyword, run:

# ausearch -k auditcmd
Note: In CentOS/RHEL 7, to stop/start/restart auditd service, run service auditd stop|start|restart.

For CentOS/RHEL 6

To log all commands

1. First, auditd needs to be running. It should be running by default, but if it’s not, start it with:

# chkconfig auditd on
# service auditd start

2. If it is a 64 bit architecture then you need to add two rules to catch both 32-bit and 64-bit system calls. As root, run:

# auditctl -a exit,always -F arch=b32 -S execve
# auditctl -a exit,always -F arch=b64 -S execve

3. Run ls /tmp, these 3 events appears in /var/log/audit/audit.log. Lines are wrapped to make it easier to read here, but it’s normally a single long line in the real file.

# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1296773801.756:35241): arch=c000003e syscall=59 
    success=yes exit=0 a0=cf2d10 a1=9da530 a2=cd4e20 a3=8 items=2 
    ppid=4146 pid=11827 auid=500 uid=500 gid=500 euid=500 
    suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts7 
    ses=3 comm="ls" exe="/bin/ls"
    subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1296773801.756:35241): argc=3 a0="ls"
    a1="--color=auto" a2="/tmp" type=CWD msg=audit(1296773801.756:35241):
    cwd="/home/username"
type=PATH msg=audit(1296773801.756:35241): item=0 name="/bin/ls" 
    inode=14418043 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 
    obj=system_u:object_r:bin_t:s0 type=PATH 
    msg=audit(1296773801.756:35241): item=1 name=(null) inode=20447259
    dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
    obj=system_u:object_r:ld_so_t:s0

The audit logs are quite verbose, but they contain the full command, including the fact that ls was aliased by the shell to ls –color=auto. The first number in parentheses is a timestamp in seconds after the epoch. This can be converted to a human-readable time with Perl:

$ perl -e 'print scalar(localtime(1296773801.756)) . "\n";'
Thu Feb  3 16:56:41 2011

The exit=0 in the SYSCALL line above is regarding the execve() system call, not the overall program.

To log all commands for specific user

1. Start auditd service:

# chkconfig auditd on
# service auditd start

2. Add audit rule:

For 64-bit architecture:

# auditctl -a exit,always -F arch=b64 -F uid=500 -S execve -k auditcmd

For 32-bit architecture:

# auditctl -a exit,always -F arch=b32 -F uid=500 -S execve -k auditcmd

Here, uid is of the user for whom auditing is enabled of all commands. Run the auditctl command as root user to add the rules.

3. Verify the logs are being generated by checking /var/log/audit/audit.log file. Once user starts executing commands the logs will appear as below:

# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1393407885.099:8614): arch=c000003e syscall=59 success=yes exit=0 a0=158c9b0 a1=1588f10 a2=15a7ae0 a3=18 items=2 ppid=3123 pid=3307 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="ls" exe="/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1393407885.099:8614): argc=2 a0="ls" a1="--color=auto"
type=CWD msg=audit(1393407885.099:8614):  cwd="/home/sadaf"
type=PATH msg=audit(1393407885.099:8614): item=0 name="/bin/ls" inode=408600 dev=fc:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(1393407885.099:8614): item=1 name=(null) inode=429303 dev=fc:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0

type=SYSCALL msg=audit(1393407910.242:8615): arch=c000003e syscall=59 success=yes exit=0 a0=15971e0 a1=158c9b0 a2=15a7ae0 a3=18 items=2 ppid=3123 pid=3310 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="rmdir" exe="/bin/rmdir" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1393407910.242:8615): argc=2 a0="rmdir" a1="data"
NOTE: Audit generates extensive logs since every command will be recorded, which may have a negative impact on overall system performance.
How to monitor who is deleting a file in CentOS/RHEL using auditd
How to use auditd to monitor a specific SYSCALL
How to monitor the Mounting/Umounting of Mount Points Using Auditd on CentOS/RHEL 6,7
How to monitor time changes using auditd in CentOS/RHEL
Audit rules for monitoring Copy, move, delete and kill Commands In Linux

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, CentOS/RHEL 8, Fedora, Linux

Some more articles you might also be interested in …

  1. Understanding Samba utilities – nmblookup, smbstatus, smbtar, testparm, wbinfo, smbget
  2. How to check failed or bad login attempts in Linux
  3. How to Reserve a Port Range for a Third Party Application in CentOS/RHEL
  4. How to Remove a file with space in Linux
  5. CentOS / RHEL : How to change the UUID of the filesystem
  6. How to set the order to load certain modules in CentOS/RHEL 7 and 8
  7. Why Does “netstat” Output Show Many Connections in CLOSE_WAIT Status?
  8. Linux OS Service ‘httpd’
  9. How to disable or enable the IPv6 protocol in CentOS/RHEL 4
  10. UNIX / Linux : How to install and configure mutt

You May Also Like

Primary Sidebar

Recent Posts

  • How to set the order to load certain modules in CentOS/RHEL 7 and 8
  • How to configure initrd / initramfs to including kernel modules in CentOS/RHEL
  • How to configure systemd.path to trigger an event when any changes made to a directory
  • Script to monitor RMAN Backup and Restore Operations
  • Oracle RMAN Backup Shell Script Example
  • Archives
  • Contact Us
  • Copyright

© 2019 · The Geek Diary