auditd
1 Topic
Logging/Audit Binary Execution?
Hey Everyone, We're looking to enable logging of binary execution or cli history, much like we can do in Linux using auditd. I've read about support engineers using auditd for troubleshooting purposes and while we can certainly enable auditd rules to catpure binary executions in the auditd logs, I haven't seen anything mention using this on a consistent basis. I'm sure some folks are asking, "Why?" but in our testing we found that it is possible for an attacker to copy nmap to the device and from there start scanning the network. We'd also like to log if/when someone launches, say, tcpdump for instance. I've been playing with this a bit and I can't seem to find anything anywhere that is logging which binaries are being run from the cli, except when we enable specific auditd rules that captures this. This brings up the question of log storage on the device since I've seen a number of posts regarding volumes running out of space due to audit logs growing uncontrolled. Any advice/discussion/help is certainly appreciated!Solved1.2KViews0likes3Comments