I would like to have a log file that contains an entry for every time a user runs any suid program, containing the user name, the program and any command line arguments passed to it. Is there a standard way to achieve this on Linux?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You can log all invocations of a specific executable (setuid or not) through the audit subsystem. The documentation is rather sparse; start with the auditctl man page, or perhaps this tutorial. Most recent distributions ship an auditd package. Install it and make sure the auditd daemon is running, then do
auditctl -A exit,always -F path=/path/to/executable -S execve
and watch the calls get logged in /var/log/audit/audit.log (or wherever your distribution has set this up).
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0