I would like to have a log file that contains an entry for every time a user runs any suid program, containing the user name, the program and any command line arguments passed to it. Is there a standard way to achieve this on Linux?
Log Every Invocation of SUID Programs – Security Logging in Linux
linuxlogsSecurity
Best Answer
You can log all invocations of a specific executable (setuid or not) through the audit subsystem. The documentation is rather sparse; start with the auditctl man page, or perhaps this tutorial. Most recent distributions ship an
auditd
package. Install it and make sure theauditd
daemon is running, then doand watch the calls get logged in
/var/log/audit/audit.log
(or wherever your distribution has set this up).