Académique Documents
Professionnel Documents
Culture Documents
If you would be asked to track user activity on your system, ie: to log user's commands; you will
probably start to think about native Linux auditing facility - auditd. Auditd is capable to do such
a thing and even more. Auditd can also look for the changes to specific files/directories and track
almost all the system actions. Auditing facility can be hooked before and/or after any system
call.
The example will show you how to configure auditd to watch for commands issued by user. To
read the log easilly you can use my script audit_report.
Linux auditing is provided by the auditd daemon. The basic components of the auditd package:
configuration files:
/etc/auditd.conf - configuration file, general behavior of the program
/etc/audit.rules - audit rules, filters applied in kernel
tools:
ausearch - to query logs
aureport - to produce summary reports
auditctl - to modify audit rules interactively
autrace - to trace a process similar to strace
audit task - audit event generated only at the time a task is created
audit entry - event is generated upon entry to a system call
The major disadvantage of the auditing based on the "task" is the demandingness to system
resources (cpu, io, fs size). When task is used, all the time when process calls fork() or clone(),
audit event filtering is invoked. The other problem is, filtering could only only be made through
the fields already known at task creation time, such – issuer’s uid, gid... Auditing based on entry
to “syscall”, if properly configured, has acceptable system resource requirements and allows
tracking all the user’s actions. The syscall table could be found at:
The configuration files for auditd, which tells the auditd to log all syscall 11 (execve) to track the
user activity looks like:
/etc/audit.rules
/etc/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 1
max_log_file = 80
max_log_file_action = IGNORE
space_left = 240
space_left_action = SYSLOG
admin_space_left = 160
admin_space_left_action = EMAIL
action_mail_acct = root
disk_full_action = SUSPEND
disk_error_action = SUSPEND
Explanation:
max_log_file = 80 tells the system to keep max log size to 80 mb when we would like to rotate
logs, because we don't logrotate, the value here is not important and auditing runs on until space
is available on local disk. space_left = 240 tells the system to write warning to syslog
(space_left_action = SYSLOG) when less than 240 mb of filesystem is avalable for collecting
audit data. When less than admin_space_left is on the appropriate device, mail warning (root) is
issued.
Basic search within log files (search for my_user, within interval)
# ausearch -ge my_user -ts 10:00:00 -te 12:49:00