Forum Discussion
Logging/Audit Binary Execution?
Hey Everyone,
We're looking to enable logging of binary execution or cli history, much like we can do in Linux using auditd. I've read about support engineers using auditd for troubleshooting purposes and while we can certainly enable auditd rules to catpure binary executions in the auditd logs, I haven't seen anything mention using this on a consistent basis.
I'm sure some folks are asking, "Why?" but in our testing we found that it is possible for an attacker to copy nmap to the device and from there start scanning the network. We'd also like to log if/when someone launches, say, tcpdump for instance.
I've been playing with this a bit and I can't seem to find anything anywhere that is logging which binaries are being run from the cli, except when we enable specific auditd rules that captures this. This brings up the question of log storage on the device since I've seen a number of posts regarding volumes running out of space due to audit logs growing uncontrolled.
Any advice/discussion/help is certainly appreciated!
if you're already familiar with auditd/auditctl rules, that's the way to go for that granular of an experience, but you would definitely want to configure syslog-ng to shoot your custom logging off-box as it will get very chatty; that IO overhead will impact system performance and fill your local disks quickly. Current rules on my 16.1.3 system:
[root@ltm3:Active:Standalone] rules.d # auditctl -l -w /etc/selinux -p wa -k MAC-policy
Those can be modified (technically, I'd open a support case to inquire about supportability) but understand that any system patch/upgrade would wipe out that system configuration, so you'd need a process to make sure that persists.
tcpdump executions, however, are always already logged in /var/log/ltm:
[root@ltm3:Active:Standalone] auditd # cat /var/log/ltm | grep -i tcpdump Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.1:2 from 127.1.1.254:41639 Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.2:2 from 127.1.1.254:41639 Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.1:2 from 127.1.1.254:41639 Nov 15 15:51:19 ltm3.test.local notice tmm1[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.254:41639
- JRahmAdmin
if you're already familiar with auditd/auditctl rules, that's the way to go for that granular of an experience, but you would definitely want to configure syslog-ng to shoot your custom logging off-box as it will get very chatty; that IO overhead will impact system performance and fill your local disks quickly. Current rules on my 16.1.3 system:
[root@ltm3:Active:Standalone] rules.d # auditctl -l -w /etc/selinux -p wa -k MAC-policy
Those can be modified (technically, I'd open a support case to inquire about supportability) but understand that any system patch/upgrade would wipe out that system configuration, so you'd need a process to make sure that persists.
tcpdump executions, however, are always already logged in /var/log/ltm:
[root@ltm3:Active:Standalone] auditd # cat /var/log/ltm | grep -i tcpdump Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.1:2 from 127.1.1.254:41639 Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e0000:5: Tcpdump starting locally on 127.1.1.2:2 from 127.1.1.254:41639 Nov 15 15:51:17 ltm3.test.local notice tmm1[42230]: 013e000b:5: Tcpdump starting DPT providers:Noise Provider Nov 15 15:51:17 ltm3.test.local notice tmm[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.1:2 from 127.1.1.254:41639 Nov 15 15:51:19 ltm3.test.local notice tmm1[42230]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.254:41639
- Leslie_HubertusRet. Employee
Hey there - sorry this one fell through the cracks! Just now seeing it pop up again, and made sure JRahm sees it.
I haven't find any setting for logging of binary execution/cli history. As this is very good question and should go to review and improvement feature. @JRahm please add your comments.
Thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com