How to log execution of a specific binary/script using auditd or otherLinux SSH audit for failed root loginlog bash command centralized server or any auditd saasAuditd multi-line log formatHow can I process auditd logs on the fly using ausearch?How to tell if auditd has suspended logging?auditd doesn't log chmod at allcapture commands executed remotely using SSH in AuditdUsing auditd and retaining log files for 6 months.Auditd - log all ssh sessionsAuditd how to exclude everythingAuditd Log all executions except some scripts

Non-African Click Languages

How can we delete item permanently without storing in Recycle Bin?

A person lacking money who shows off a lot

Holding rent money for my friend which amounts to over $10k?

Is there an academic word that means "to split hairs over"?

When did Britain learn about American independence?

How to deal with the extreme reverberation in big cathedrals when playing the pipe organs?

How do Ctrl+C and Ctrl+V work?

Divisor Rich and Poor Numbers

What color to choose as "danger" if the main color of my app is red

Why are lawsuits between the President and Congress not automatically sent to the Supreme Court

What formula to chose a nonlinear formula?

​Cuban​ ​Primes

Why is it correct to use ~た in this sentence, even though we're talking about next week?

Solenoid fastest possible release - for how long should reversed polarity be applied?

Usage of the relative pronoun "dont"

Bash grep result from command whole line

Roman Numerals Equation 2

Polynomial division: Is this trick obvious?

Why is the marginal distribution/marginal probability described as "marginal"?

How does the Heat Metal spell interact with a follow-up Frostbite spell?

Is there a method to separate iron from mercury?

Why is the A380’s with-reversers stopping distance the same as its no-reversers stopping distance?

Would life always name the light from their sun "white"



How to log execution of a specific binary/script using auditd or other


Linux SSH audit for failed root loginlog bash command centralized server or any auditd saasAuditd multi-line log formatHow can I process auditd logs on the fly using ausearch?How to tell if auditd has suspended logging?auditd doesn't log chmod at allcapture commands executed remotely using SSH in AuditdUsing auditd and retaining log files for 6 months.Auditd - log all ssh sessionsAuditd how to exclude everythingAuditd Log all executions except some scripts






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.



I would like to log when any user launches these specific binaries. The information I would like from this is basically:



  • the name/path of the executable

  • the arguments given to the executable

  • the user who performed the action

  • the date/time

Furthermore, I would like this information to be in a format which is logical to parse if needed.



Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:



-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve


(I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)



In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:



type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"


The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.



Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?



Thank you.






ubuntu logging audit auditd







share|improve this question




























    2















    I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.



    I would like to log when any user launches these specific binaries. The information I would like from this is basically:



    • the name/path of the executable

    • the arguments given to the executable

    • the user who performed the action

    • the date/time

    Furthermore, I would like this information to be in a format which is logical to parse if needed.



    Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:



    -a exit,always -F arch=b32 -S execve
    -a exit,always -F arch=b64 -S execve


    (I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)



    In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:



    type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
    type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"


    The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.



    Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?



    Thank you.






    ubuntu logging audit auditd







    share|improve this question
























      2












      2








      2








      I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.



      I would like to log when any user launches these specific binaries. The information I would like from this is basically:



      • the name/path of the executable

      • the arguments given to the executable

      • the user who performed the action

      • the date/time

      Furthermore, I would like this information to be in a format which is logical to parse if needed.



      Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:



      -a exit,always -F arch=b32 -S execve
      -a exit,always -F arch=b64 -S execve


      (I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)



      In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:



      type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
      type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"


      The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.



      Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?



      Thank you.






      ubuntu logging audit auditd







      share|improve this question














      I have the following situation in hand. I have one or more specific execuatble files in /usr/bin, I will call one /usr/bin/execute , and they may either be a compiled binary or a script file, such as a perl or python script.



      I would like to log when any user launches these specific binaries. The information I would like from this is basically:



      • the name/path of the executable

      • the arguments given to the executable

      • the user who performed the action

      • the date/time

      Furthermore, I would like this information to be in a format which is logical to parse if needed.



      Auditd looked like a good choice at first, but it has a strange way of splitting up the information above into two entries for some reason. For example, in the example above, I want to track running of the program /usr/bin/execute. I will add these statements to the auditctl:



      -a exit,always -F arch=b32 -S execve
      -a exit,always -F arch=b64 -S execve


      (I have not yet been able to find how to specify "/usr/bin/execute" as the only thing logged, I would appreciate help from someone who knows how to do this)



      In the log after running /usr/bin/execute with one argument, I get the following two relevent entries:



      type=SYSCALL msg=audit(1447688181.106:819746): arch=c000003e syscall=59 success=yes exit=0 a0=2898528 a1=26e3308 a2=2720008 a3=7fff176c1840 items=3 ppid=10697 pid=10715 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=8 comm="execute" exe="/usr/bin/perl" key=(null)
      type=EXECVE msg=audit(1447688181.106:819746): argc=3 a0="/usr/bin/perl" a1="/usr/bin/execute" a2="some_arg.txt"


      The information is for some reason being split between two entries. In the first SYSCALL message I get the uid of the user, and in the second EXECVE message I get the path (in 'a1', which I am not sure is consistant) and the arguments. In addition to the fact that this is more difficult to parse, I do not have a definite link between these statements to reconcile that they are part of the same event. This whole output seems to be generally incorrect for what I am trying to accomplish, so I am looking for a better way.



      Tl;Dr: Can I get auditd to log this information to a file in a generally parse-able way, for scripts or binaries? Can I limit logging to only this executable file? If not, would another auditing daemon be a better choice?



      Thank you.






      ubuntu logging audit auditd




      ubuntu logging audit auditd






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 16 '15 at 16:31









      Rboreal_FripperyRboreal_Frippery

      112




      112




















          1 Answer
          1






          active

          oldest

          votes


















          0














          No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).



          To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules



          -w /usr/bin/who -p x -k my_execs
          -w /usr/bin/whatis -p x -k my_execs


          After setting these rules, restart the auditd service, then execute



          who -a
          whatis who


          then as root



          ausearch -i -k my_execs


          to get



          ----
          node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
          ----
          node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
          ----
          node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
          node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
          node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
          node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
          node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
          ----
          node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
          node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
          node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
          node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
          node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
          node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
          node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs


          You can see that ausearch has extracted the events you want (using your key).
          The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to



          524297 /lib64/ld-2.12.so
          2102799 /usr/bin/who
          786482 /bin/bash
          2112811 /usr/bin/whatis


          You can check out https://people.redhat.com/sgrubb/audit for more information






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f736753%2fhow-to-log-execution-of-a-specific-binary-script-using-auditd-or-other%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).



            To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules



            -w /usr/bin/who -p x -k my_execs
            -w /usr/bin/whatis -p x -k my_execs


            After setting these rules, restart the auditd service, then execute



            who -a
            whatis who


            then as root



            ausearch -i -k my_execs


            to get



            ----
            node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
            ----
            node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
            ----
            node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
            node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
            node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
            node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
            node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
            ----
            node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
            node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
            node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
            node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
            node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
            node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
            node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs


            You can see that ausearch has extracted the events you want (using your key).
            The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to



            524297 /lib64/ld-2.12.so
            2102799 /usr/bin/who
            786482 /bin/bash
            2112811 /usr/bin/whatis


            You can check out https://people.redhat.com/sgrubb/audit for more information






            share|improve this answer



























              0














              No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).



              To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules



              -w /usr/bin/who -p x -k my_execs
              -w /usr/bin/whatis -p x -k my_execs


              After setting these rules, restart the auditd service, then execute



              who -a
              whatis who


              then as root



              ausearch -i -k my_execs


              to get



              ----
              node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
              ----
              node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
              ----
              node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
              node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
              node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
              node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
              node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
              ----
              node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
              node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
              node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
              node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
              node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
              node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
              node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs


              You can see that ausearch has extracted the events you want (using your key).
              The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to



              524297 /lib64/ld-2.12.so
              2102799 /usr/bin/who
              786482 /bin/bash
              2112811 /usr/bin/whatis


              You can check out https://people.redhat.com/sgrubb/audit for more information






              share|improve this answer

























                0












                0








                0







                No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).



                To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules



                -w /usr/bin/who -p x -k my_execs
                -w /usr/bin/whatis -p x -k my_execs


                After setting these rules, restart the auditd service, then execute



                who -a
                whatis who


                then as root



                ausearch -i -k my_execs


                to get



                ----
                node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
                ----
                node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
                ----
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
                node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
                node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
                node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
                ----
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
                node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
                node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
                node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
                node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs


                You can see that ausearch has extracted the events you want (using your key).
                The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to



                524297 /lib64/ld-2.12.so
                2102799 /usr/bin/who
                786482 /bin/bash
                2112811 /usr/bin/whatis


                You can check out https://people.redhat.com/sgrubb/audit for more information






                share|improve this answer













                No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).



                To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules



                -w /usr/bin/who -p x -k my_execs
                -w /usr/bin/whatis -p x -k my_execs


                After setting these rules, restart the auditd service, then execute



                who -a
                whatis who


                then as root



                ausearch -i -k my_execs


                to get



                ----
                node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
                ----
                node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
                ----
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
                node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
                node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
                node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
                ----
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
                node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
                node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
                node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
                node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
                node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs


                You can see that ausearch has extracted the events you want (using your key).
                The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to



                524297 /lib64/ld-2.12.so
                2102799 /usr/bin/who
                786482 /bin/bash
                2112811 /usr/bin/whatis


                You can check out https://people.redhat.com/sgrubb/audit for more information







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 17 '15 at 21:49









                BurnABurnA

                1965




                1965



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f736753%2fhow-to-log-execution-of-a-specific-binary-script-using-auditd-or-other%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

                    Image
                    centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
                    Read more

                    Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

                    Image
                    AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
                    Read more

                    What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

                    Image
                    When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
                    Read more