Hi All,
How can I configure auditbeat to log all commands executed by users ?
I am asking it because when i execute "echo test" command, it is not logged by auditbeat, but when i execute "/usr/bin/echo test" command, it is logged successfully
echo test is using a "shell built-in" (like env, export, etc.) and those do not generate process events because they are not new Linux processes. It's something that is happening within the existing shell process as opposed to executing an execve system call to launch a new process.
If you want to monitor what is being entered into a shell then one option is to enable the Linux pam_tty_audit module. The causes auditd events to be emitted as keystrokes are entered into the terminal.
1 Like