1

Suppose a user runs the following command:

zcat file.gz | grep something | gzip > grepped.gz

I'm looking for a kernel feature (a BPF filter perhaps?) that would note all of the execves, chain together their stdins/stdouts and reconstruct that in a similar form, putting it into system logs. Is there a way to do that without interfacing with the shells?

d33tah
  • 1,361
  • 14
  • 28
  • You want to enable and configure `auditd`. Logs can be quite large and should be rotated regularly. You can pare down the rules to limit what gets logged. – doneal24 May 10 '23 at 12:38

1 Answers1

1

Using process-accounting

Package usually is named psacct or acct

Install needed packages

sudo apt install acct

Start daemon to automatically enable process accounting

sudo systemctl enable --now acct.service

To check last run commands execute lastcomm

Using auditd

Install auditd daemon

Enable it on boot

sudo systemctl enable auditd

Add following rule

sudo auditctl -a always,exit -F arch=b64 -S execve -k search_comment

Now to view logged messages for all users

sudo ausearch -k search_comment

or searching by specific UID

sudo ausearch -k search_comment -ui 1000
DaG
  • 329
  • 7
  • Thanks! Isn't it going to keep them in an unstructured, strace-like kind of format, as opposed to storing entire commands? – d33tah May 11 '23 at 06:32
  • Kenrel logs process accounting data in binary format with [this](https://man7.org/linux/man-pages/man5/acct.5.html) structure. Auditd logs in human-readable format [definitions of fields in log file](https://github.com/linux-audit/audit-documentation/wiki#documentation) – DaG May 11 '23 at 07:27
  • That's not exactly my question. It's more about: can I easily reconstruct a complex pipeline (with stdin, stdout) based on that information, or is it too fine-grained? – d33tah May 12 '23 at 09:32
  • It is possible to include the `pipe` syscall in the `-S` switch by using `-S execve,pipe` and correlating the timestamps of the relevant syscalls. While this method may not be simple approach, it's worth noting that users are not required to log all of their commands by changing environment values such as PS1 to point to **logger** or other tools that rely on LD_PRELOAD. – DaG May 12 '23 at 11:21