How to enable command line audit logging in linux

Still need help?

The Atlassian Community is here for you.

Ask the community


Purpose

To record all commands entered into the shell in a linux environment to a log file. This can be useful for auditing user actions or for security audits.

This is not specific to Confluence or any product, but it will audit command line actions including those things related to Confluence. Service restarts, all inputs from bash, and user actions should all be logged using this method. 

Solution

  1. Login to the linux box and assume root 

    sudo su - 
  2. Edit /etc/profile and add the following lines to the bottom of the file: 

    # command line audit logging
    function log2syslog
    {
       declare COMMAND
       COMMAND=$(fc -ln -0)
       logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
    }
    trap log2syslog DEBUG
  3. Save and exit /etc/profile
  4. Edit /etc/rsyslog.conf and add the following lines to the bottom of the file: 

    # command line audit logging
    local1.* -/var/log/cmdline
  5. Save and exit /etc/rsyslog.conf 
  6. Either restart the rsyslog service, or restart the whole machine to release all user sessions - forcing a reload of the bash profile and enacting the changes 

    /etc/init.d/rsyslog restart
  7. The audit logging will be visible under /var/log/syslog and /var/log/cmdline and will look like this: 

    Aug 22 15:04:39 ip-10-10-34-56 bash[15856]: jsmith:
    Aug 22 15:04:40 ip-10-10-34-56 bash[15859]: jsmith:#011 sudo su -
    Aug 22 15:04:43 ip-10-10-34-56 bash[15893]: root:
    Aug 22 15:04:49 ip-10-10-34-56 bash[15903]: root:#011 ls -lart /var/log
    Aug 22 15:05:01 ip-10-10-34-56 CRON[15927]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
    Aug 22 15:05:06 ip-10-10-34-56 bash[15937]: root:#011 ls -lart /var/log | grep cmd
    Aug 22 15:15:01 ip-10-10-34-56 CRON[17254]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
    Aug 22 15:17:01 ip-10-10-34-56 CRON[17513]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
    Aug 22 15:20:02 ip-10-10-34-56 bash[17921]: root:#011 cd /var/log
    Aug 22 15:20:03 ip-10-10-34-56 bash[17924]: root:#011 ls
    Aug 22 15:20:16 ip-10-10-34-56 bash[17969]: root:#011 service confluence restart
    Aug 22 15:20:16 ip-10-10-34-56 systemd[1]: Stopping SYSV: Confluence...
    Aug 22 15:20:16 ip-10-10-34-56 confluence[17975]: Stopping confluence
    Aug 22 15:20:16 ip-10-10-34-56 systemd[1]: Started Session c8 of user confluence.
    Aug 22 15:20:27 ip-10-10-34-56 confluence[17975]: confluence stopped successfully
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopped SYSV: Confluence.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Starting SYSV: Confluence...
    Aug 22 15:20:27 ip-10-10-34-56 confluence[18103]: Starting confluence
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopping User Manager for UID 1300...
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Default.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Basic System.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Paths.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Timers.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Reached target Shutdown.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Starting Exit the Session...
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Stopped target Sockets.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[20231]: Received SIGRTMIN+24 from PID 18107 (kill).
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Stopped User Manager for UID 1300.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Removed slice User Slice of confluence.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Created slice User Slice of confluence.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Starting User Manager for UID 1300...
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Started Session c9 of user confluence.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Paths.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Timers.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Sockets.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Basic System.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Reached target Default.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[18113]: Startup finished in 9ms.
    Aug 22 15:20:27 ip-10-10-34-56 systemd[1]: Started User Manager for UID 1300.
    Aug 22 15:20:28 ip-10-10-34-56 systemd[1]: Started SYSV: Confluence.
    Aug 22 15:20:41 ip-10-10-34-56 bash[18207]: root:#011 ls
    Aug 22 15:20:54 ip-10-10-34-56 bash[18271]: root:#011 less syslog
  8. You may consider saving the log on an NFS mount and/or pushing the syslog logs to another machine.


Last modified on Aug 22, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.