Dangerous commands like rm , kill and systemctl stop can be hidden outside bash inputs - i.e. - a malicious user can easily hide them inside a python script using os module and just run the python script as a proxy to hide what they really intended to harm, and the bash history or anything like that will only leave the record that they run python3 [the malicious script].py before they delete that script to hide what they really did.
What I want to do is log those critical commands (any commands beyond the 3 is welcomed to point out) each time they got executed, no matter where it came from. And the log must not be disposable by any user except for root.
You can use
auditdand monitor file operations/system calls to remove files/directories. The rules will be something like:Of course you can add other calls of specific files monitoring in rules like for
kill:Step 1 : Find command location
Step 2: Get acl by
getfacl <command path>Step 3: Use
setfaclto set acl for allowed usersSetp 4: All permission issues logs will be available in audit logs in /var/log folder normally.
Hope this will help.
Edit:
I was under impression that question is to handle commands via programme (not considered low level code).
We can get all failed open call with below auditctl(If configured to monitor/logged)
So, sequence will be set the acls for files/commands and log the failed system calls via
auditdso we can checkout logs. By this way we can get who tried to execute which command or syscall.Note: I am not considering condition if programme is executed with root.