Forum Discussion

luevelvet's avatar
luevelvet
Icon for Altocumulus rankAltocumulus
Oct 18, 2022

Logging/Audit Binary Execution?

Hey Everyone, We're looking to enable logging of binary execution or cli history, much like we can do in Linux using auditd. I've read about support engineers using auditd for troubleshooting purpos...
audit
auditd
logging
Security
  • JRahm's avatar
    JRahm
    Nov 15, 2022

    if you're already familiar with auditd/auditctl rules, that's the way to go for that granular of an experience, but you would definitely want to configure syslog-ng to shoot your custom logging off-box as it will get very chatty; that IO overhead will impact system performance and fill your local disks quickly. Current rules on my 16.1.3 system:

    [root@ltm3:Active:Standalone] rules.d # auditctl -l
-w /etc/selinux -p wa -k MAC-policy

    Those can be modified (technically, I'd open a support case to inquire about supportability) but understand that any system patch/upgrade would wipe out that system configuration, so you'd need a process to make sure that persists.

    tcpdump executions, however, are always already logged in /var/log/ltm:

    [root@ltm3:Active:Standalone] auditd # cat /var/log/ltm | grep -i tcpdump
Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.1:2 from 127.1.1.254:41639
Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.2:2 from 127.1.1.254:41639
Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.1:2 from 127.1.1.254:41639
Nov 15 15:51:19 ltm3.test.local notice tmm1[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.254:41639

     

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Nov 15, 2022

if you're already familiar with auditd/auditctl rules, that's the way to go for that granular of an experience, but you would definitely want to configure syslog-ng to shoot your custom logging off-box as it will get very chatty; that IO overhead will impact system performance and fill your local disks quickly. Current rules on my 16.1.3 system:

[root@ltm3:Active:Standalone] rules.d # auditctl -l
-w /etc/selinux -p wa -k MAC-policy

Those can be modified (technically, I'd open a support case to inquire about supportability) but understand that any system patch/upgrade would wipe out that system configuration, so you'd need a process to make sure that persists.

tcpdump executions, however, are always already logged in /var/log/ltm:

[root@ltm3:Active:Standalone] auditd # cat /var/log/ltm | grep -i tcpdump
Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.1:2 from 127.1.1.254:41639
Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.2:2 from 127.1.1.254:41639
Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider
Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.1:2 from 127.1.1.254:41639
Nov 15 15:51:19 ltm3.test.local notice tmm1[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.254:41639