Audit.rules
Logging root actions by capturing execve system calls
Logging all actions performed by root might be needed for compliance or security. With the help of Linux audit we log all root actions easy in an audit log.
Summary
Capturing execve system calls and store them in the audit log
For compliance or security reasons you might want to capture all commands executed by the root user. Fortunately enough the Linux audit framework helps with capturing the right system calls and log it to the audit file.
Configure audit
To enable auditing, use the following commands:
# auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands
# auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands
These commands will enable monitoring for the execve system call and log it when the effective user ID is 0, equal to the root user. Whenever you are logged in as root, or using sudo, it will log the related actions.
Linux Audit Framework 101 – Basic Rules for Configuration
The Linux audit framework is a very powerful tool to monitor files, directories, and system calls. Learn how to configure it.
Summary
Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules.
Main Configuration
By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.g. mainframe) on resources, then you might want to adjust some file sizes or buffers.