Created
April 8, 2016 16:19
-
-
Save colebrooke/42b8ed0edb8ca6f5d0b2fcbf2578b65f to your computer and use it in GitHub Desktop.
Setting up auditd on Ubuntu 14.04 to monitor both tty and root commands
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Justin Miller 08/04/16 | |
# Setup auditd | |
# command example: | |
# aureport --tty | |
# | |
# to view root commands: | |
# ausearch -ue 0 | |
# to view user commands: | |
# ausearch -ua <userid> | |
# | |
apt-get update | |
# install the package | |
apt-get install -y auditd | |
# delete the line pam_tty_audit.so | |
sed -i '/pam_tty_audit.so/d' /etc/pam.d/sshd | |
# add this line to the bottom of the file | |
echo 'session required pam_tty_audit.so enable=*' >> /etc/pam.d/sshd | |
# add a couple more required lines: | |
echo '-a exit,always -F arch=b64 -F euid=0 -S execve' >> /etc/audit/audit.rules | |
echo '-a exit,always -F arch=b32 -F euid=0 -S execve' >> /etc/audit/audit.rules |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment