Audit or Track All Commands on Linux|Centos|RHEL|Ubuntu|Debian

On a Linux system, we get information about all commands executed on Linux shell by monitoring execve() system call. This article provides information on audit or track all commands on Linux|Centos|RHEL|Ubuntu|Debian system.


Topic

  • How to audit all commands on Linux|Centos|RHEL|Ubuntu|Debian?
  • Audit all executed commands on a Linux|Centos|RHEL|Ubuntu|Debian system
  • Audit all system calls on a Linux system
  • Linux audit all system commands


Solution


Execute following commands in the Linux shell to track all command execution events on Linux system run time without restarting auditd service.

# auditctl -a exit,always -F arch=b32 -S execve -k allcmds
# auditctl -a exit,always -F arch=b64 -S execve -k allcmds

Make the above rules permanent by adding the following lines in /etc/audit/rules.d/audit.rules file.

# Track all commands
-a exit,always -F arch=b32 -S execve -k allcmds
-a exit,always -F arch=b64 -S execve -k allcmds

Restart auditd service and validate configuration.

# service auditd restart
# auditctl -l
-a always,exit -F arch=b32 -S execve -F key=allcmds
-a always,exit -F arch=b64 -S execve -F key=allcmds

Following are the special audit rules to track or monitor all commands on Linux shell for specific user or exclude specific user and monitor all users.
Audit/Track all commands execute by root user
# To 
auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-cmds
auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-cmds

Audit/Track all commands by any user but exclude root user
auditctl -a exit,always -F arch=b64 -F euid!=0 -S execve -k allcmds
auditctl -a exit,always -F arch=b32 -F euid!=0 -S execve -k allcmds

or 
auditctl -a exit,always -F arch=b64 -F euid>0 -S execve -k allcmds
auditctl -a exit,always -F arch=b32 -F euid>0 -S execve -k allcmds

Audit Logs Validation

# ausearch -k allcmds

time->Sun Sep 15 01:10:16 2019
type=PROCTITLE msg=audit(1568490016.998:272): proctitle="date"
type=PATH msg=audit(1568490016.998:272): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=79069 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1568490016.998:272): item=0 name="/usr/bin/date" inode=12591834 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1568490016.998:272):  cwd="/root"
type=EXECVE msg=audit(1568490016.998:272): argc=1 a0="date"
type=SYSCALL msg=audit(1568490016.998:272): arch=c000003e syscall=59 success=yes exit=0 a0=89e970 a1=8b6ed0 a2=81cf10 a3=7ffd0723e5e0 items=2 ppid=1591 pid=1984 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="date" exe="/usr/bin/date" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="allcmds"

The above output notifies that root user executed date command.


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *