<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style></style></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1>Hi,<o:p></o:p><o:p> </o:p>What’s the “best way to do it” is dependent on your system.<o:p></o:p><o:p> </o:p>That said, I can offer two non-audit suggestions.<o:p></o:p><o:p> </o:p>One I call the “Old Shell Game”. Stick this bash code in in the appropriate system wide bash file:<o:p></o:p><o:p> </o:p>function log<o:p></o:p><o:p> </o:p>{<o:p></o:p><o:p> </o:p> typeset x<o:p></o:p><o:p> </o:p> x=$(history 1 | cut -f 5-)<o:p></o:p><o:p> </o:p> logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"<o:p></o:p><o:p> </o:p>}<o:p></o:p><o:p> </o:p>trap log DEBUG<o:p></o:p><o:p> </o:p>And you get things like this in your syslog:<o:p></o:p><o:p> </o:p>Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*<o:p></o:p>Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v grep<o:p></o:p>Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc –l <o:p></o:p>Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort | more<o:p></o:p><o:p> </o:p>Is this easy to defeat? Yup. But it will let you get experiment with command logging and see if it’s really of any benefit to you.<o:p></o:p><o:p> </o:p>Another is use the program called “snoopy” available at <a href="http://sourceforge.net/projects/snoopylogger/">http://sourceforge.net/projects/snoopylogger/</a><o:p></o:p><o:p> </o:p>It uses a little known feature of the Linux loader, namely, LD_PRELOAD. <o:p></o:p><o:p> </o:p>Once you’ve got it in place you get output like this:<o:p></o:p><o:p> </o:p>Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/uname]: uname –a<o:p></o:p>Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps –ef<o:p></o:p>Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef <o:p></o:p>Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep audit <o:p></o:p>Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep -v grep <o:p></o:p><o:p> </o:p>It’s not as easy to circumvent as the above bash code. As a suggestion based on experience, don’t put snoopy into affect until after the system is up. You really don’t want to log all the commands root does in the process of starting up a system.<o:p></o:p><o:p> </o:p>I hope this helps.<o:p></o:p><o:p> </o:p>Best regards,<o:p></o:p><o:p> </o:p>Gary Smith<o:p></o:p>Information System Security Officer<o:p></o:p>Pacific Northwest National Laboratory<o:p></o:p><o:p> </o:p>From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of zhu xiuming Sent: Wednesday, October 09, 2013 3:11 PM To: Steve Grubb Cc: Richard Guy Briggs; Linux-audit@redhat.com Subject: Re: how to use auditd to record all user command history<o:p></o:p><o:p> </o:p><div><div><div><div>Thanks. <o:p></o:p></div>I know the kernel do the most work. So, I can't use pam_tty_audit for our hosts. <o:p></o:p></div><div>However, I still hope to record user command history. I just wonder what is the best way to do it. <o:p></o:p></div></div></div><div><o:p> </o:p><div>On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>> wrote:<o:p></o:p><div>On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote: > So, if I can't update all kernels (the cost will be very high), is there > any other way to resolve this issue?<o:p></o:p></div>The kernel is what does all the heavy work in the audit system. Auditd only records to disk, pam_tty_audit and auditctl tell the kernel what they are interested in. But all the action is in the kernel, not user space. -Steve<o:p></o:p><div><div> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>> wrote: > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote: > > > Thanks for your reply. > > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I > > > wonder whether it supports this feature. > > > > The log_passwd feature has not been backported to RHEL5 because the > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say > > it is not supported in your system. > > > > An upgrade is necessary. > > > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>> > > > > wrote: > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote: > > > > > This is correct. The problem is, this records every keystrokes and > > > > even > > > > > > > the password of the users. While I only care about the user command > > > > > history, I surely do not want to know their passwords. > > > > > > > > There is now support in the upstream kernel (3.10-rc1) and in pam > > > > (1.1.8+) to not record passwords by default. If you want the old > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd" > > > > > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan < > > > > <a href="mailto:tvaughan@onyxpoint.com">tvaughan@onyxpoint.com</a> > > > > > > >wrote: > > > > > > Does pam_tty_audit with enable=* not do what you want? > > > > > > > > > > > > Trevor > > > > > > > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <<a href="mailto:xiumingzhu@gmail.com">xiumingzhu@gmail.com</a>> > > > > > > > > wrote: > > > > > >> HI > > > > > >> I know this seems an old topic. But unfortunately, I can't find a > > > > > >> solution for this. I have googled long time. I tried following > > > > > > > > options: > > > > > >> 1. audit execv syscall, > > > > > >> > > > > > >> this does record every command typed any tty. However, it > > > > > > > > generates > > > > > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently > > > > called > > > > > > that > > > > > > > > > >> the system can't afford to log every call of it and it crashes > > > > > >> !!! > > > > > >> > > > > > >> 2. use *pam_tty_audit.so > > > > > >> * > > > > > >> this makes it possible to record one or two users, not all users. > > > > * > > > > > > > >> * > > > > > >> So, may I ask, is this problem solvable by auditd or do I need > > > > other > > > > > > > >> tools ?* > > > > > >> > > > > > >> * > > > > > >> *Thanks a lot > > > > > > > > > > > > Trevor Vaughan > > > > > > > > - RGB > > > > - RGB > > > > -- > > Richard Guy Briggs <<a href="mailto:rbriggs@redhat.com">rbriggs@redhat.com</a>> > > Senior Software Engineer > > Kernel Security > > AMER ENG Base Operating Systems > > Remote, Ottawa, Canada > > Voice: <a href="tel:%2B1.647.777.2635">+1.647.777.2635</a> > > Internal: (81) 32635 > > Alt: <a href="tel:%2B1.613.693.0684x3545">+1.613.693.0684x3545</a><o:p></o:p></div></div></div><o:p> </o:p></div></div></body></html>