How to log execution of a specific binary/script using auditd or otherLinux SSH audit for failed root loginlog bash command centralized server or any auditd saasAuditd multi-line log formatHow can I process auditd logs on the fly using ausearch?How to tell if auditd has suspended logging?auditd doesn't log chmod at allcapture commands executed remotely using SSH in AuditdUsing auditd and retaining log files for 6 months.Auditd - log all ssh sessionsAuditd how to exclude everythingAuditd Log all executions except some scripts
Non-African Click Languages
How can we delete item permanently without storing in Recycle Bin?
A person lacking money who shows off a lot
Holding rent money for my friend which amounts to over $10k?
Is there an academic word that means "to split hairs over"?
When did Britain learn about American independence?
How to deal with the extreme reverberation in big cathedrals when playing the pipe organs?
How do Ctrl+C and Ctrl+V work?
Divisor Rich and Poor Numbers
What color to choose as "danger" if the main color of my app is red
Why are lawsuits between the President and Congress not automatically sent to the Supreme Court
What formula to chose a nonlinear formula?
Cuban Primes
Why is it correct to use ~た in this sentence, even though we're talking about next week?
Solenoid fastest possible release - for how long should reversed polarity be applied?
Usage of the relative pronoun "dont"
Bash grep result from command whole line
Roman Numerals Equation 2
Polynomial division: Is this trick obvious?
Why is the marginal distribution/marginal probability described as "marginal"?
How does the Heat Metal spell interact with a follow-up Frostbite spell?
Is there a method to separate iron from mercury?
Why is the A380’s with-reversers stopping distance the same as its no-reversers stopping distance?
Would life always name the light from their sun "white"
How to log execution of a specific binary/script using auditd or other
Linux SSH audit for failed root loginlog bash command centralized server or any auditd saasAuditd multi-line log formatHow can I process auditd logs on the fly using ausearch?How to tell if auditd has suspended logging?auditd doesn't log chmod at allcapture commands executed remotely using SSH in AuditdUsing auditd and retaining log files for 6 months.Auditd - log all ssh sessionsAuditd how to exclude everythingAuditd Log all executions except some scripts
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.
I would like to log when any user launches these specific binaries. The information I would like from this is basically:
- the name/path of the executable
- the arguments given to the executable
- the user who performed the action
- the date/time
Furthermore, I would like this information to be in a format which is logical to parse if needed.
Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:
-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve
(I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)
In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:
type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"
The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.
Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?
Thank you.
ubuntu logging audit auditd
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
add a comment |
I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.
I would like to log when any user launches these specific binaries. The information I would like from this is basically:
- the name/path of the executable
- the arguments given to the executable
- the user who performed the action
- the date/time
Furthermore, I would like this information to be in a format which is logical to parse if needed.
Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:
-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve
(I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)
In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:
type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"
The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.
Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?
Thank you.
ubuntu logging audit auditd
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
add a comment |
I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.
I would like to log when any user launches these specific binaries. The information I would like from this is basically:
- the name/path of the executable
- the arguments given to the executable
- the user who performed the action
- the date/time
Furthermore, I would like this information to be in a format which is logical to parse if needed.
Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:
-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve
(I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)
In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:
type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"
The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.
Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?
Thank you.
ubuntu logging audit auditd
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.
I would like to log when any user launches these specific binaries. The information I would like from this is basically:
- the name/path of the executable
- the arguments given to the executable
- the user who performed the action
- the date/time
Furthermore, I would like this information to be in a format which is logical to parse if needed.
Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:
-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve
(I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)
In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:
type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"
The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.
Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?
Thank you.
ubuntu logging audit auditd
ubuntu logging audit auditd
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
asked Nov 16 '15 at 16:31
Rboreal_FripperyRboreal_Frippery
112
112
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).
To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules
-w /usr/bin/who -p x -k my_execs
-w /usr/bin/whatis -p x -k my_execs
After setting these rules, restart the auditd service, then execute
who -a
whatis who
then as root
ausearch -i -k my_execs
to get
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
You can see that ausearch has extracted the events you want (using your key).
The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to
524297 /lib64/ld-2.12.so
2102799 /usr/bin/who
786482 /bin/bash
2112811 /usr/bin/whatis
You can check out https://people.redhat.com/sgrubb/audit for more information
answered Nov 17 '15 at 21:49
BurnABurnA
1965
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f736753%2fhow-to-log-execution-of-a-specific-binary-script-using-auditd-or-other%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).
To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules
-w /usr/bin/who -p x -k my_execs
-w /usr/bin/whatis -p x -k my_execs
After setting these rules, restart the auditd service, then execute
who -a
whatis who
then as root
ausearch -i -k my_execs
to get
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
You can see that ausearch has extracted the events you want (using your key).
The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to
524297 /lib64/ld-2.12.so
2102799 /usr/bin/who
786482 /bin/bash
2112811 /usr/bin/whatis
You can check out https://people.redhat.com/sgrubb/audit for more information
answered Nov 17 '15 at 21:49
BurnABurnA
1965
add a comment |
No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).
To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules
-w /usr/bin/who -p x -k my_execs
-w /usr/bin/whatis -p x -k my_execs
After setting these rules, restart the auditd service, then execute
who -a
whatis who
then as root
ausearch -i -k my_execs
to get
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
You can see that ausearch has extracted the events you want (using your key).
The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to
524297 /lib64/ld-2.12.so
2102799 /usr/bin/who
786482 /bin/bash
2112811 /usr/bin/whatis
You can check out https://people.redhat.com/sgrubb/audit for more information
answered Nov 17 '15 at 21:49
BurnABurnA
1965
add a comment |
No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).
To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules
-w /usr/bin/who -p x -k my_execs
-w /usr/bin/whatis -p x -k my_execs
After setting these rules, restart the auditd service, then execute
who -a
whatis who
then as root
ausearch -i -k my_execs
to get
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
You can see that ausearch has extracted the events you want (using your key).
The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to
524297 /lib64/ld-2.12.so
2102799 /usr/bin/who
786482 /bin/bash
2112811 /usr/bin/whatis
You can check out https://people.redhat.com/sgrubb/audit for more information
answered Nov 17 '15 at 21:49
BurnABurnA
1965
No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).
To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules
-w /usr/bin/who -p x -k my_execs
-w /usr/bin/whatis -p x -k my_execs
After setting these rules, restart the auditd service, then execute
who -a
whatis who
then as root
ausearch -i -k my_execs
to get
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
You can see that ausearch has extracted the events you want (using your key).
The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to
524297 /lib64/ld-2.12.so
2102799 /usr/bin/who
786482 /bin/bash
2112811 /usr/bin/whatis
You can check out https://people.redhat.com/sgrubb/audit for more information
answered Nov 17 '15 at 21:49
BurnABurnA
1965
answered Nov 17 '15 at 21:49
BurnABurnA
1965
answered Nov 17 '15 at 21:49
BurnABurnA
1965
answered Nov 17 '15 at 21:49
BurnABurnA
1965
1965
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f736753%2fhow-to-log-execution-of-a-specific-binary-script-using-auditd-or-other%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
