Logging root actions by capturing execve system calls

Logging root actions

Capturing execve system calls and store them in the audit log

For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file.

Configure audit

To enable auditing, use the following commands:

auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands
auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user. Whenever you are logged in as root, or using sudo, it will log the related actions.

An alternative method is capturing all system calls for the root user, with a permission based filter. This means that all executes of files, write actions and changes to attributes are recorded.

auditctl -a exit,always -S all -F euid=0 -F perm=awx -k root-commands

Searching root activities

After logging the events for a while, we might want to search for them. By specifying a key (root-commands), you can quickly find them again.

ausearch -k root-commands.

This will perform a search through all audit entries, for which the key is root-commands.

 

Another option to capture administrative commands, is using Snoopy. Have a look at our previous blog post about Snoopy.

 

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

3 comments

  • DiegoDiego

    Hi, is it possible to separate commands when you are logged as root with a key like root-commands and sudo commands with a key like sudo-commands?

    Reply
    • You should be able to make that difference, as you can log what command was used. Don’t have a direct snippet for you to test though :(

      Reply
  • ropema granitoropema granito

    Pretty! This has been an incredibly wonderful post.
    Many thanks for providing this info.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.