12

I would like to have a log file that contains an entry for every time a user runs any suid program, containing the user name, the program and any command line arguments passed to it. Is there a standard way to achieve this on Linux?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Kim
  • 764
  • 4
  • 12

1 Answers1

7

You can log all invocations of a specific executable (setuid or not) through the audit subsystem. The documentation is rather sparse; start with the auditctl man page, or perhaps this tutorial. Most recent distributions ship an auditd package. Install it and make sure the auditd daemon is running, then do

auditctl -A exit,always -F path=/path/to/executable -S execve

and watch the calls get logged in /var/log/audit/audit.log (or wherever your distribution has set this up).

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • 1
    I guess one could write a script to first get all SUID binaries with find and then use your solution for each one. Not elegant, but certainly doable. Thanks! – Kim May 11 '11 at 20:31
  • 2
    @Kim: I think you can log all invocations of a setuid root binary by a not-root user by replacing `-F path=…` with `-F euid=0 -F 'uid!=0'` or something like it. I can't see a hook in [the setxid code invoked by `execve`](http://lxr.linux.no/linux+v2.6.38/fs/exec.c#L1219) nor a specific setxid watch in the [audit subsystem](http://lxr.linux.no/#linux+v2.6.38/kernel/auditsc.c). Or, of course, you can log every `execve` and postprocess. – Gilles 'SO- stop being evil' May 11 '11 at 20:41
  • Interesting. Never heard of this before. I wonder how widely used it is. Debian popcon doesn't have an entry for `auditd`. – Faheem Mitha May 12 '11 at 15:35
  • `find` command to list all the SUID files: `find / -xdev \( -perm -4000 \) -type f -print` –  Jul 18 '13 at 06:34
  • 1
    @FaheemMitha It has an popcon entry: http://qa.debian.org/popcon-graph.php?packages=auditd – jofel Jul 18 '13 at 16:04
  • I am getting `WARNING - 32/64 bit syscall mismatch, you should specify an arch`. How do I specify the arch? – Nathan Aug 15 '14 at 00:20
  • Add `-F arch=b64` to the command. – Nathan Aug 15 '14 at 00:22