Log Every Invocation of SUID Programs – Security Logging in Linux

linuxlogsSecurity

I would like to have a log file that contains an entry for every time a user runs any suid program, containing the user name, the program and any command line arguments passed to it. Is there a standard way to achieve this on Linux?

Best Answer

You can log all invocations of a specific executable (setuid or not) through the audit subsystem. The documentation is rather sparse; start with the auditctl man page, or perhaps this tutorial. Most recent distributions ship an auditd package. Install it and make sure the auditd daemon is running, then do

auditctl -A exit,always -F path=/path/to/executable -S execve

and watch the calls get logged in /var/log/audit/audit.log (or wherever your distribution has set this up).

Related Solutions

Shell – Show command executed along with output in log file

Using the shell built-in set -x is probably the cheap-and-dirty way to do this. In shell scripts you will often see a line like:

#set -x

Which someone left behind by just commenting it out. I think you could use that at the interactive command line, but you may not like what it does there.

Linux – all the posibilities of storing a log file

Since the operating system you are using is missing, a more generic approach could be: Create a directory with the name of your app(say, foo) inside /var/log

# mkdir /var/log/foo

Most of all unix-like OSs will allow you to navigate through var_log folders, but not to view the logfiles contents(as expected).

Give the ownership to the user that you are using to run your program, and permission to this user(only) to see/write those logfiles

# chown userfoo /var/log/foo
# chmod 600 /var/log/foo

You could play with groups too, giving read access to operators for example(and of course, a different permission set of chmod, like 640.

Done. This should be generic enough to any Unix like system, and maybe, a better approach than adding a user to administrative groups.

Best Answer

Related Solutions

Shell – Show command executed along with output in log file

Linux – all the posibilities of storing a log file

Related Question