Skip to content

Instantly share code, notes, and snippets.

@shichao-an
Created April 22, 2015 09:07
Show Gist options
  • Save shichao-an/f019f7b9ab51c271ad49 to your computer and use it in GitHub Desktop.
Save shichao-an/f019f7b9ab51c271ad49 to your computer and use it in GitHub Desktop.
#!/bin/bash
# Setup and enable auditd
# MUST REBOOT AFTER SETUP
#
# FUNCTIONALITIES:
#
# * Auditing user TTY
# aureport --tty
#
# * Auditing root commands (real uid)
# ausearch -ue 0 # all root commands
# ausearch -ua 1000 # all commands by auid=1000
#
apt-get update
apt-get install -y auditd
sed -i '/pam_tty_audit.so/d' /etc/pam.d/sshd
echo 'session required pam_tty_audit.so enable=*' >> /etc/pam.d/sshd
grep -- '-a exit,always -F arch=b64 -F euid=0 -S execve' \
/etc/audit/audit.rules > /dev/null || {
cat >> /etc/audit/audit.rules <<EOF
-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve
EOF
}
echo 'Setup complete. Please reboot!'
@rimaulana
Copy link

Works like a charm. Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment