Uberleet

Linux Systems Articles for better insights

Quickshell deploy AuditD


I'd run Ansible but the environment I'm in is too unpredictable for that right now. So here's some shell scripts I wrote to quickly activate auditd on hosts.

Ubuntu

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
#!/bin/bash
#     ausearch -ua 1000 # auid=1000

apt-get update
apt-get install -y auditd

sed -i '/pam_tty_audit.so/d' /etc/pam.d/sshd
echo 'session required pam_tty_audit.so enable=*' >> /etc/pam.d/sshd

grep -- '-a exit,always -F arch=b64 -F euid=0 -S execve' \
    /etc/audit/audit.rules > /dev/null || {
    cat >> /etc/audit/audit.rules <<EOF
-a exit,always -F arch=b64 -F euid=0 -S execve
-a exit,always -F arch=b32 -F euid=0 -S execve
EOF
}

echo 'Ready to reboot.'

Redhat

Todo