0

OS sles 15, audit service enabled

When I issue any command (for example, date or ls), I expect it to be logged in audit.log, something like this:

type=SYSCALL msg=audit...

type=EXECVE msg=audit(1718094805.867:24632): argc=1 a0="date"

...

but these entries are not in audit.log

There are other entries there, for example about the start/finish of sessions, but there are no commands called.

Improve this question
2
  • 1
    What audit rules do you have enabled? Try auditctl -l. Commented Jun 11, 2024 at 11:29
  • 1
    date or ls is not a security relevant command; your expectations of auditd seem to be that of a keylogger if you expect it to capture any command. Commented Jun 11, 2024 at 12:32

1 Answer 1

Reset to default
2

https://lowendbox.com/blog/how-to-audit-every-command-run-on-your-linux-system/

basically do this to put this rule in your /etc/audit/rules.d/audit.rules file

auditctl -a exit,always -F arch=b32 -S execve -k allcmds
auditctl -a exit,always -F arch=b64 -S execve -k allcmds

be aware the /var/log/audit/audit.log file might grow to gigabytes in a few minutes, and simply fill up whatever disk partition that folder is on.

And I believe that will capture every command on a running system including all under the hood stuff. If you want every command done by a specific user, then it would be a matter of tailoring the rule to filter on a specific uid= such as

auditctl -a exit,always -F arch=b32 -F uid=1234 -S execve -k allcmds

or

auditctl -a exit,always -F arch=b32 -F uid >=1000 -S execve -k allcmds
Improve this answer
1
  • first I removed -a never,task from the rules and then added these commands and it helped Commented Jun 11, 2024 at 16:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.