To track root actions after:
1. # sudo -s
2. # sudo -i
3. # sudo su -
4. # sudo mc (with \^o)
5. And if some script “vi test.sh” was created and run “sudo ./test.sh”
To track such actions we need:
- PAM module pam_tty_audit.so
- service auditd (/sbin/chkconfig auditd on)
- append to /etc/pam.d/system-auth:
session required pam_tty_audit.so disable=* enable=root
- append to /etc/pam.d/su and /etc/pam.d/su-l:
session required pam_tty_audit.so enable=root
- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
session required pam_tty_audit.so open_only enable=root
And possible it will be good for more information:
- service psacct (/sbin/chkconfig psacct on)
Example with sudo mc:
[phn@localhost ~]$ sudo mc
[root@localhost ~]# echo TEST-in-mc+ctrl+o-TEST
TEST-in-mc+ctrl+o-TEST
[root@localhost ~]# ping localhost # (At first I wrote “ping loolho” then I press several times Backspace and wrote correct command.)
Tracking of root actions:
[root@localhost ~]# ausearch -i
#Here I run “sudo mc”
----
type=USER_END msg=audit(12/02/2009 15:28:14.280:55) : user pid=2849 uid=root auid=phn subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct=root : exe=/usr/bin/sudo (hostname=localhost.localdomain, addr=127.0.0.1, terminal=/dev/pts/2 res=success)'
----
type=USER_CMD msg=audit(12/02/2009 15:28:14.283:56) : user pid=2849 uid=root auid=phn subj=user_u:system_r:unconfined_t:s0 msg='cwd=/home/et0362 cmd=/usr/bin/mc (terminal=pts/2 res=success)'
#Here I run “echo TEST-in-mc+ctrl+o-TEST”
----
type=TTY msg=audit(12/02/2009 15:29:04.244:59) : tty pid=2852 uid=root auid=phn major=136 minor=3 comm=bash data=" ",<backspace>,"echo TEST-in-mc+ctrl+o-TEST",<ret>
# Here I start “ping localhost” with mistypes
----
type=TTY msg=audit(12/02/2009 15:29:35.209:61) : tty pid=2852 uid=root auid=phn major=136 minor=3 comm=bash data="ping loolho",<backspace>,<backspace>,<backspace>,<backspace>,"calhost",<ret>
----
# Here I press exit in mc with mouse and we can see all logs of actions in mc
type=TTY msg=audit(12/02/2009 15:30:14.224:63) : tty pid=2849 uid=root auid=phn major=136 minor=2 comm=mc data=<^O>,"echo TEST-in-mc+ctrl+o-TEST",<ret>,"ping loolho",<backspace>,<backspace>,<backspace>,<backspace>,"calhost",<ret>,<^C>,<^O>,<mouse>," mN",<mouse>,"#mN",<mouse>," l2",<mouse>,"#l2"
---
Some explanation:
Login user id - auid=phn
Effective user id - uid=root
Pressed buttons: <backspace>, <up>, <down>, <left>, <right>, <ret>, <insert>, <delete>, Space = " "
Additional information
AUDITD
Log file:
/var/log/audit/audit.log (use ausearch –i, file store some information not in human format)
Configuration files:
/etc/audit/auditd.conf (main),
/etc/syscinfig/auditd (for startup options and locale location).
/usr/share/doc/auditd
Commands:
ausearch – query the audit log. (option "-i" interpret numeric entities into text. For example, uid is converted to account name. data in kernel format to human).
auditctl – control behavior of auditd (status, rules).
autrace – add the audit rules to trace a process similar to strace.
PSACCT
To track processes we can use command ”lastcomm”
[root@localhost ~]# lastcomm | less
...
ausearch root pts/2 0.32 secs Wed Dec 2 15:30
bash F root pts/2 0.00 secs Wed Dec 2 15:30
id root pts/2 0.00 secs Wed Dec 2 15:30
bash F root pts/2 0.00 secs Wed Dec 2 15:30
consoletype root pts/2 0.00 secs Wed Dec 2 15:30
bash F root pts/2 0.00 secs Wed Dec 2 15:30
id root pts/2 0.00 secs Wed Dec 2 15:30
...
date phn pts/2 0.02 secs Wed Dec 2 15:30
bash S X root __ 0.14 secs Wed Dec 2 15:28
mc S root pts/2 0.28 secs Wed Dec 2 15:28
ping S root pts/3 0.04 secs Wed Dec 2 15:29
bash F root pts/3 0.00 secs Wed Dec 2 15:28
id root pts/3 0.00 secs Wed Dec 2 15:28
...