Commander
Commander
949 views

Monitoring the audit.log file

All,

Can anyone tell me which linux server/workstation commands/events result in an audt.log record with the messagetype=USER_CMD?


I am building a specialized flexconnector to monitor the audit.log file and want to capture user-typed commands. The USER_CMD messagetype appears to fit the bill, but I need to know more about what events/activities result in this audit.log entry.

Thanks!


Steve

Labels (2)
0 Likes
5 Replies
Absent Member.
Absent Member.

Your question is very broad - I would start by googling / audit.rules, auditd and audispd to understand how the auditing works on linux. The audit rules on the systems you are monitoring will dictate what activity will be audited.

You may not actually need a flex, depending on your requirements... things like the syslog SmartConnector already do a decent job of normalising audit logs from linux systems. The problem you may hit is that most of the interesting data is put into the "Additional Data" fields, as well as not translating some field values in the audit logs to be human-readable (and thus not very usable without mapping those ad.fields to usable ones - such as device custom string x and the like).

0 Likes
Commander
Commander

Adam,

Thanks for the info, and believe me I have Google's auditd, audit.rules, and audisp looking for answers!

What I am trying to do is create specific rules to capture security related events, such as the use of the 'mount' and 'umount' commands along with su and sudo usage/attempts. I have been successful with these, but was hoping for more events. It appears that I get the best results with the USER_CMD messagetype, which is why I was looking for more information.

By the way, I have found a way to capture human readable information (user names etc.) using the ausearch -i command.

Steve

0 Likes
Absent Member.
Absent Member.

Have you considered using auditd and it's associated logs?

The syslog connector will parse auditd messages by default and auditd is way more informative than std Unix syslog

0 Likes
Absent Member.
Absent Member.

You didn't read any of this thread, did you?

0 Likes
Absent Member.
Absent Member.

Yeah I read it. I'm just supporting what you were saying. If you have an issue, use a PM.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.