-
-
Save seb3point0/21ff9d07e0b5620e09de4e231dc2b246 to your computer and use it in GitHub Desktop.
Setting up auditd on Ubuntu 14.04 to monitor both tty and root commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Justin Miller 08/04/16 | |
| # Setup auditd | |
| # command example: | |
| # aureport --tty | |
| # | |
| # to view root commands: | |
| # ausearch -ue 0 | |
| # to view user commands: | |
| # ausearch -ua <userid> | |
| # | |
| apt-get update | |
| # install the package | |
| apt-get install -y auditd | |
| # delete the line pam_tty_audit.so | |
| sed -i '/pam_tty_audit.so/d' /etc/pam.d/sshd | |
| # add this line to the bottom of the file | |
| echo 'session required pam_tty_audit.so enable=*' >> /etc/pam.d/sshd | |
| # add a couple more required lines: | |
| echo '-a exit,always -F arch=b64 -F euid=0 -S execve' >> /etc/audit/audit.rules | |
| echo '-a exit,always -F arch=b32 -F euid=0 -S execve' >> /etc/audit/audit.rules |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://serverfault.com/questions/336217/how-do-i-log-every-command-executed-by-a-user