Audit trail in Linux

Recently I have been asked to created a user for a company, which does IT support for us. And give that user sudo privileges, of course. I did that, but it did not feel right. Even though it is a company computer I still treat it as mine. Well, those IT guys could not install Ubuntu properly - everything is on the same partition. Even /home! Why should I trust them? So I looked at the way to add an audit trail to spy on them.

First audit system I enabled was from The GNU Accounting utilities package:

sudo apt-get install acct

That one works without configuration, but only gathers the most basic information. Still useful to track someone, who do not mind being tracked. Some useful commands:

# Print statistics on who used system resources
sa -m
# Print commands executed by certain user
lastcomm odduser
# Print login statistics by days
ac -d

But there is a better system. It is part of the Linux Kernel and keeps logs syscall invokations. That is much more powerful, but requires some configuration. There is a documentation from Red Hat, which helped me a lot.

# Install user space utilities
sudo apt-get install auditd
# List example configurations provided
sudo dpkg -L auditd | grep examples/
# Edit the rules
sudo nano /etc/audit/audit.rules

There is a lot to configure. For example, I limited scope for most of my rules with "-F auid>=1001". That leaves my (uid 1000) actions unaccounted. At least I am not spying on myself :) I did not copy any of the ready-to-use configuration. I spent an hour reading about each rule and deciding what is the proper form of that rule I want. I think this is generally a good practice. After configuration is done, the only thing left is to check the report every so often (you can cron it, of course)

# Quick report on anything odd
sudo aureport --anomaly
# Summary report on which rules were triggered at all
sudo aureport --key --summary
# View detailed report about one rule (this one prints all the mounted media devices)
ausearch --key export --raw | aureport --file --summary

Some of those may produce interesting results. For example, guess which application deletes the most files?

ausearch --key delete --raw | aureport --summary -x

Executable Summary Report
total  file
3971  /usr/lib/firefox/firefox
645  /usr/lib/thunderbird/thunderbird

I am reasonably happy with this level of audit. And a bit surprised it was hard to find any howto/guide on the subject. Maybe it is way to obvious for real Unix amdins to write a howto about.