how to use auditd to record all user command history
zhu xiuming
xiumingzhu at gmail.com
Tue Oct 8 21:05:48 UTC 2013
Thanks for your reply.
Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
wonder whether it supports this feature.
On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > This is correct. The problem is, this records every keystrokes and even
> > the password of the users. While I only care about the user command
> > history, I surely do not want to know their passwords.
>
> There is now support in the upstream kernel (3.10-rc1) and in pam
> (1.1.8+) to not record passwords by default. If you want the old
> behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>
> > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan at onyxpoint.com
> >wrote:
> > > Does pam_tty_audit with enable=* not do what you want?
> > >
> > > Trevor
> > >
> > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu at gmail.com>
> wrote:
> > >
> > >> HI
> > >> I know this seems an old topic. But unfortunately, I can't find a
> > >> solution for this. I have googled long time. I tried following
> options:
> > >>
> > >> 1. audit execv syscall,
> > >> this does record every command typed any tty. However, it
> generates
> > >> lots of noise. Sometimes, the execv syscall is so frequently called
> that
> > >> the system can't afford to log every call of it and it crashes !!!
> > >>
> > >> 2. use *pam_tty_audit.so
> > >> *
> > >> this makes it possible to record one or two users, not all users. *
> > >> *
> > >> So, may I ask, is this problem solvable by auditd or do I need other
> > >> tools ?*
> > >>
> > >> *
> > >> *Thanks a lot
> > >
> > > Trevor Vaughan
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131008/1904408e/attachment.htm>
More information about the Linux-audit
mailing list