Quickly Enable Linux Audit

Posted on October 27, 2016

0


We are going to log all commands. All events will be logged under /var/log/audit/audit.log.

    
COMMANDS
# chkconfig auditd on
# service auditd start
# auditctl -a exit,always -F arch=b32 -S execve
# auditctl -a exit,always -F arch=b64 -S execve
HELPFUL COMMANDS
aureport -x --summary
ausearch -i    (Human Readable)

HELPFUL LINK
For more details visit official redhat website link mentioned below
https://access.redhat.com/solutions/49257

EXAMPLE ENVIRONMENT
1- tail -f /var/log/audit/audit.log 
2- Take a putty session from another computer
3- Run any command. for example /bin/date or /bin/ls
4- audit.log start logging commands
5- You may run ausearch -i  command to trace the command execution done in step-3
6- Note pts session id from step-5 and match that id from last command on particular time.

END RESULT

Now we can make a relation that on a specific time a specific UID with specific IP ran a specific command.

 

 

Advertisements
Posted in: Linux