Monitor command execution from servers

196 views
Skip to first unread message

sang thanh

unread,
Oct 10, 2022, 4:39:27 AM10/10/22
to Wazuh mailing list
Hi guys,

I'm looking for the way to mornitor full commands which executed from the users in Linux.

I walk through this link but not sure it's collect all commands.

Can you give me the instruction or the link to do that.

Thanks

Jesus Linares

unread,
Oct 10, 2022, 5:34:52 AM10/10/22
to Wazuh mailing list
Hello,

The link that you mentioned is for executing commands in the agents remotely from the manager.


What we do is monitor system calls using auditd. For example, these auditd rules will audit all commands run by a user who has admin privileges:
  • auditctl -a exit,always -F euid=0 -F arch=b64 -S execve -k audit-wazuh-c
  • auditctl -a exit,always -F euid=0 -F arch=b32 -S execve -k audit-wazuh-c
The command is logged in /var/log/audit/audit.log and the Wazuh agent reads that file. Then, the manager will trigger an alert based on the corresponding decoders/rules.

Check the documentation for more information.

I hope it helps.

sang thanh

unread,
Oct 12, 2022, 4:20:32 AM10/12/22
to Wazuh mailing list
Understood, thank you so much.

Vào lúc 16:34:52 UTC+7 ngày Thứ Hai, 10 tháng 10, 2022, Jesus Linares đã viết:
Reply all
Reply to author
Forward
0 new messages