how to use auditd to record all user command history
Richard Guy Briggs
rgb at redhat.com
Tue Oct 8 03:13:26 UTC 2013
On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> This is correct. The problem is, this records every keystrokes and even
> the password of the users. While I only care about the user command
> history, I surely do not want to know their passwords.
There is now support in the upstream kernel (3.10-rc1) and in pam
(1.1.8+) to not record passwords by default. If you want the old
behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan at onyxpoint.com>wrote:
> > Does pam_tty_audit with enable=* not do what you want?
> >
> > Trevor
> >
> > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu at gmail.com> wrote:
> >
> >> HI
> >> I know this seems an old topic. But unfortunately, I can't find a
> >> solution for this. I have googled long time. I tried following options:
> >>
> >> 1. audit execv syscall,
> >> this does record every command typed any tty. However, it generates
> >> lots of noise. Sometimes, the execv syscall is so frequently called that
> >> the system can't afford to log every call of it and it crashes !!!
> >>
> >> 2. use *pam_tty_audit.so
> >> *
> >> this makes it possible to record one or two users, not all users. *
> >> *
> >> So, may I ask, is this problem solvable by auditd or do I need other
> >> tools ?*
> >>
> >> *
> >> *Thanks a lot
> >
> > Trevor Vaughan
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list