As a linux administrator sometimes you might need to review or find who ran which command on a shared file system where multiple users have full access
You can get that information using custom audit rules:
Update the 'audit.rules' file which is under /etc/audit/rules.d/
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k move
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k delete
-a exit,always -F arch=b64 -S execve -F path=/usr/bin/vim -k create
In the above configuration -k will help you to define the keys words which will help you to filter the logs.
sudo ausearch -k create
type=CWD msg=audit(1607080601.464:882948): cwd="/home/user1"
type=EXECVE msg=audit(1607080601.464:882948): argc=2 a0="vim" a1="testfile"
type=SYSCALL msg=audit(1607080601.464:882948): arch=c000003e syscall=59 success=yes exit=0 a0=55ac87705a20 a1=55ac876c4170 a2=55ac8770b880 a3=8 items=2 ppid=3814853 pid=3818277 auid=12345 uid=12345 gid=54321 euid=12345 suid=12345 fsuid=12345 egid=54321 sgid=54321 fsgid=54321 tty=pts2 ses=100235 comm="vim" exe="/usr/bin/vim" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="create"
Above commad will get the audit logs for 'vi' commad or create
In this log you see following details:
cwd="/home/user1" <=== In which dir he/she created the file
a1="testfile" <=== What is the file he/she created
suid=12345 & sgid=54321 <=== UID and GID of the user who execucted the 'vim' commnad
No comments:
Post a Comment