im trying to audit an automated task that connect to my server and exec some commands.
I would like to know everything it does.
Currently Im trying these rules at my audit.rules file.
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
Those lines are ok to audit binarie commands. But if I exec something else like "foo" it is not logged. I need a rule that can log also not founded commands or command attempts. Is it possible ?
Leandro
No, you don't want auditd to log "absolutely everything". Every syscall is an enormous amount of log entries, consuming a lot of storage space. And with very few interesting events in the noise.
At least filter auditd to the specific user running this automation.
Yes, auditd is good at logging execve, but not at capturing everything entered into a shell. auditd's kernel perspective makes for poor visibility into what the shell is doing in user space. For that, you'll want an automation tool with more robust logging, or shell tricks.
When debugging bash shell scripts, consider what set builtins will improve the experience. set -e to exit immediately on non-zero return code. set -o xtrace to print all commands.
Also you can enable history in non-interactive shells by exporting the relevant environment variables and set -o history.
