As a linux administrator sometimes you might need to review or find who ran which command on a shared file system where multiple users have full access
You can get that information using custom audit rules:
Update the 'audit.rules' file which is under /etc/audit/rules.d/
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k move
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k delete
-a exit,always -F arch=b64 -S execve -F path=/usr/bin/vim -k create
In the above configuration -k will help you to define the keys words which will help you to filter the logs.
sudo ausearch -k create
type=CWD msg=audit(1607080601.464:882948): cwd="/home/user1"
type=EXECVE msg=audit(1607080601.464:882948): argc=2 a0="vim" a1="testfile"
type=SYSCALL msg=audit(1607080601.464:882948): arch=c000003e syscall=59 success=yes exit=0 a0=55ac87705a20 a1=55ac876c4170 a2=55ac8770b880 a3=8 items=2 ppid=3814853 pid=3818277 auid=12345 uid=12345 gid=54321 euid=12345 suid=12345 fsuid=12345 egid=54321 sgid=54321 fsgid=54321 tty=pts2 ses=100235 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="create"
Above commad will get the audit logs for 'vi' commad or create
In this log you see following details:
cwd="/home/user1" <=== In which dir he/she created the file
a1="testfile" <=== What is the file he/she created
suid=12345 & sgid=54321 <=== UID and GID of the user who execucted the 'vim' commnad
Friday, 4 December 2020
Configure Sudo access and Limit to selective commands (Linux)
Like most things on Linux, the sudo command is very configurable. You can have sudo run specific commands without asking for a password, restrict specific users to only approved commands, log commands run with sudo, and more.
The sudo command’s behavior is
controlled by the /etc/sudoers file on your system. This command must be
edited with the visudo command, which performs syntax-checking to
ensure you don’t accidentally break the file.
The
safest way to play with sudo configuration is to maintain separate
files for each linux group or user which can be placed under
/etc/sudoers.d directory.
Never ask password for any sudo commands
%admins ALL=(ALL) NOPASSWD: ALL
The above configuration will not ask for a password for any command run by 'admins' group of users.
Never ask for password only for specific commands
username ALL=(ALL) NOPASSWD: /usr/bin/chown, /usr/bin/chmod
Allow sudo access to specific commands with a password prompt
%appadmin ALL=/usr/bin/chown, /usr/bin/chmod
Allow sudo access to all commands except one command
username ALL= ALL, !/bin/su
Allow sudo access to specific commands on the specific directory (without password)
%appadmin ALL=(ALL) NOPASSWD: /bin/chmod * /opt/apps/*, /bin/chown * /opt/apps/*
The above configuration will allow the users to run chmod and chown command only and the syntax will be as below
user1@testvm[~]$ chmod 755 /opt/apps/test.txt
user1@testvm[~]$ chown user1:appadmin /opt/apps/test.txt
Setup email notification for user SUDO activity
Sometimes it's very important when you are working as a Linux
Administrator / Security analyst to monitor the user sudo activity. As a Linux Administrator, you should have
evidence to prove somebody is screed up something in your environment.
You can monitor all the sudo user's activity, whenever they type a command
using sudo I should get an email.
Update /etc/sudoers files with below configuration:
Use vi /etc/sudoers or visudo
I prefer to user 'visudo' so that it will validate the /etc/sudoers
configuration before you save it.
Append below configuration to /etc/sudoers
#sudo activity notifications
Defaults mail_always
Defaults mailerpath=/usr/sbin/sendmail
Defaults mailto="admin@example.com"
Defaults mailfrom = "root@servername.example.com"
Defaults mailsub="*** Command run via sudo on %h ***"
Defaults mailerflags="-t"
Defaults logfile=/var/log/sudo.log
If you want to monitor only one user or group modify the first line as below:
Defaults:user1(or)groupname mail_always
If you want to monitor all the users and exclude one user or group modify the first line as below:
User_Alias NOMAIL = user1, user2
User_Alias MAILUSERS = ALL, !NOMAIL
Defaults:MAILUSERS mail_always
The last
line in the configuration will log the sudo activity in a separate file
/var/log/sudo.log
It will be handy for a quick search of user sudo activity
Subscribe to:
Comments (Atom)