Logging root actions by capturing execve system calls

Capturing execve system calls and store them in the audit log

For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file.

Configure audit

To enable auditing, use the following commands:

# auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands  
# auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user. Whenever you are logged in as root, or using sudo, it will log the related actions.

An alternative method is capturing all system calls for the root user, with a permission based filter. This means that all executes of files, write actions and changes to attributes are recorded.

auditctl -a exit,always -S all -F euid=0 -F perm=awx -k root-commands

Searching root activities

After logging the events for a while, we might want to search for them. By specifying a key (root-commands), you can quickly find them again.

ausearch -k root-commands

This will perform a search through all audit entries, for which the key is root-commands.

Another option to capture administrative commands, is using Snoopy. Have a look at our previous blog post about Snoopy.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution.

Mastodon icon