Recently I have been asked to created a user for a company, which does IT support for us. And give that user sudo privileges, of course. I did that, but it did not feel right. Even though it is a company computer I still treat it as mine. Well, those IT guys could not install Ubuntu properly - everything is on the same partition. Even /home! Why should I trust them? So I looked at the way to add an audit trail to spy on them.
First audit system I enabled was from The GNU Accounting utilities package:
sudo apt-get install acct
That one works without configuration, but only gathers the most basic information. Still useful to track someone, who do not mind being tracked. Some useful commands:
# Print statistics on who used system resources
sa -m
# Print commands executed by certain user
lastcomm odduser
# Print login statistics by days
ac -d
But there is a better system. It is part of the Linux Kernel and keeps logs syscall invokations. That is much more powerful, but requires some configuration. There is a documentation from Red Hat, which helped me a lot.
# Install user space utilities
sudo apt-get install auditd
# List example configurations provided
sudo dpkg -L auditd | grep examples/
# Edit the rules
sudo nano /etc/audit/audit.rules
There is a lot to configure. For example, I limited scope for most of my rules with "-F auid>=1001". That leaves my (uid 1000) actions unaccounted. At least I am not spying on myself :) I did not copy any of the ready-to-use configuration. I spent an hour reading about each rule and deciding what is the proper form of that rule I want. I think this is generally a good practice. After configuration is done, the only thing left is to check the report every so often (you can cron it, of course)
# Quick report on anything odd
sudo aureport --anomaly
# Summary report on which rules were triggered at all
sudo aureport --key --summary
# View detailed report about one rule (this one prints all the mounted media devices)
ausearch --key export --raw | aureport --file --summary
Some of those may produce interesting results. For example, guess which application deletes the most files?
ausearch --key delete --raw | aureport --summary -x
Executable Summary Report
=================================
total file
=================================
3971 /usr/lib/firefox/firefox
645 /usr/lib/thunderbird/thunderbird
I am reasonably happy with this level of audit. And a bit surprised it was hard to find any howto/guide on the subject. Maybe it is way to obvious for real Unix amdins to write a howto about.