linux audit user run apps

Logging of graphic applications launched by the user (to collect statistics).

The system works as follows:

• DE (graphic desktop environment) is launched;
• The rules that catch the launch (system call execve() ) and stop (system calls exit_group() and kill() ) of applications are loaded into the auditd demon.

At the moment, only KDE (Plasmashell) is supported, but there will be no problem to prescribe what processes of others DE are, thereby adding the support of other De.

The launch and stopping of only those programs that were launched directly from De. If, for example, the user from De launched the Chromium browser, and the VLC player from Chromium, then the Chromium launch will be pledged and the VLC launch is not.

Viewing the audit records is carried out either in journalctl , or from the logs of the Auditd demon like this:

• ausearch -k laura_process_start
• ausearch -k laura_process_end

The Auditd demon can be tuned so as not to write files /var/log/audit/audit.log* , the Journal, the demon can "eat" the events of the audit. To do this, you need to specify in the /etc/audit/auditd.conf : write_logs = no file, then all the events of the audit will only be stored in Journald. You can configure the centralized journald logs from different computers to a single server according to the instructions.

To compare the launch events (laura_process_start) and stop (laura_process_end), the program can be according to the PID - a unique identifier by the process, considering the time of its operation as the difference between temporary labels and launch marks.

Installation from the source:

sudo make install

Installation from the Rosa Linux repository:

sudo dnf install linux-audit-user-run-apps (or: sudo dnf install laura )

Installation from the Alt Linux repository:

sudo apt-get install linux-audit-user-run-apps (or: sudo apt-get install laura )

After installation, perform:

sudo systemctl enable --now laura.path