I wanted to monitor all the modifications made to a file in a Linux server (Redhat). I made some research and found this auditing tool which I have already installed and configured using following commands:
yum install audit # installation
/etc/init.d/auditd start # started service
auditctl -w /root/file-name -p war -k password-file # configured rule to audit file
ausearch -f /root/file-name # Command to search modifications
It has recorded all of the modifications made to the specific file. Everything was good until I came across the following following scenarios:
Case 1 :
I have deleted the file which I am monitoring using the aforementioned audit tool from the server using following command:
rm -rf /root/file-name
It recorded the following results:
type=SYSCALL msg=audit(1540222267.321:1057): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe22abf91a a1=941 a2=1b6 a3=7ffe22abed70 items=2 ppid=21053 pid=42458 auid=14628 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="touch" exe="/bin/rm" key="password-file"
Case 2 : I have deleted the file from a remote server using following command:
ssh host "echo 'rm -rf /root/file-name'|sudo su - root"
It recorded the following results:
type=SYSCALL msg=audit(1540222588.196:1118): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=ce70c0 a2=0 a3=7fff52a6af40 items=2 ppid=42520 pid=42533 auid=14628 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="rm" exe="/bin/rm" key="password-file"
Now the point that confuses me is why tty is recorded as none when I executed the command remotely. I have searched on the web regarding this but unfortunately I was not able to find anything which can clarify my confusion.
Could someone explain why it was recorded as tty=(none) in case 2?
Thanks in advance, please let me know if my question is unclear or something is missing, I will correct it.
