Recently I have been asked to created a user for a company, which does IT support for us. And give that user sudo privileges, of course. I did that, but it did not feel right. Even though it is a company computer I still treat it as mine. Well, those IT guys could not install Ubuntu properly - everything is on the same partition. Even /home! Why should I trust them? So I looked at the way to add an audit trail to spy on them.
First audit system I enabled was from The GNU Accounting utilities package:
sudo apt-get install acct
That one works without configuration, but only gathers the most basic information. Still useful to track someone, who do not mind being tracked. Some useful commands:
# Print statistics on who used system resources sa -m # Print commands executed by certain user lastcomm odduser # Print login statistics by days ac -d
But there is a better system. It is part of the Linux Kernel and keeps logs syscall invokations. That is much more powerful, but requires some configuration. There is a documentation from Red Hat, which helped me a lot.
# Install user space utilities sudo apt-get install auditd # List example configurations provided sudo dpkg -L auditd | grep examples/ # Edit the rules sudo nano /etc/audit/audit.rules
There is a lot to configure. For example, I limited scope for most of my rules with "-F auid>=1001". That leaves my (uid 1000) actions unaccounted. At least I am not spying on myself :) I did not copy any of the ready-to-use configuration. I spent an hour reading about each rule and deciding what is the proper form of that rule I want. I think this is generally a good practice. After configuration is done, the only thing left is to check the report every so often (you can cron it, of course)
# Quick report on anything odd sudo aureport --anomaly # Summary report on which rules were triggered at all sudo aureport --key --summary # View detailed report about one rule (this one prints all the mounted media devices) ausearch --key export --raw | aureport --file --summary
Some of those may produce interesting results. For example, guess which application deletes the most files?
ausearch --key delete --raw | aureport --summary -x Executable Summary Report ================================= total file ================================= 3971 /usr/lib/firefox/firefox 645 /usr/lib/thunderbird/thunderbird
I am reasonably happy with this level of audit. And a bit surprised it was hard to find any howto/guide on the subject. Maybe it is way to obvious for real Unix amdins to write a howto about.