I would like to have a log file that contains an entry for every time a user runs any suid program, containing the user name, the program and any command line arguments passed to it. Is there a standard way to achieve this on Linux?
Asked
Active
Viewed 2,814 times
1 Answers
7
You can log all invocations of a specific executable (setuid or not) through the audit subsystem. The documentation is rather sparse; start with the auditctl man page, or perhaps this tutorial. Most recent distributions ship an auditd package. Install it and make sure the auditd daemon is running, then do
auditctl -A exit,always -F path=/path/to/executable -S execve
and watch the calls get logged in /var/log/audit/audit.log (or wherever your distribution has set this up).
Gilles 'SO- stop being evil'
- 829,060
-F path=…with-F euid=0 -F 'uid!=0'or something like it. I can't see a hook in the setxid code invoked byexecvenor a specific setxid watch in the audit subsystem. Or, of course, you can log everyexecveand postprocess. – Gilles 'SO- stop being evil' May 11 '11 at 20:41auditd. – Faheem Mitha May 12 '11 at 15:35findcommand to list all the SUID files:find / -xdev \( -perm -4000 \) -type f -print– Jul 18 '13 at 06:34WARNING - 32/64 bit syscall mismatch, you should specify an arch. How do I specify the arch? – Nathan Aug 15 '14 at 00:20-F arch=b64to the command. – Nathan Aug 15 '14 at 00:22