how to use auditd to record all user command history
Smith, Gary R
gary.smith at pnnl.gov
Wed Oct 9 23:23:50 UTC 2013
Hi,
What's the "best way to do it" is dependent on your system.
That said, I can offer two non-audit suggestions.
One I call the "Old Shell Game". Stick this bash code in in the appropriate system wide bash file:
function log
{
typeset x
x=$(history 1 | cut -f 5-)
logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"
}
trap log DEBUG
And you get things like this in your syslog:
Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*
Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v grep
Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc -l
Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort | more
Is this easy to defeat? Yup. But it will let you get experiment with command logging and see if it's really of any benefit to you.
Another is use the program called "snoopy" available at http://sourceforge.net/projects/snoopylogger/
It uses a little known feature of the Linux loader, namely, LD_PRELOAD.
Once you've got it in place you get output like this:
Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/uname]: uname -a
Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep audit
Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep -v grep
It's not as easy to circumvent as the above bash code. As a suggestion based on experience, don't put snoopy into affect until after the system is up. You really don't want to log all the commands root does in the process of starting up a system.
I hope this helps.
Best regards,
Gary Smith
Information System Security Officer
Pacific Northwest National Laboratory
From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com] On Behalf Of zhu xiuming
Sent: Wednesday, October 09, 2013 3:11 PM
To: Steve Grubb
Cc: Richard Guy Briggs; Linux-audit at redhat.com
Subject: Re: how to use auditd to record all user command history
Thanks.
I know the kernel do the most work. So, I can't use pam_tty_audit for our hosts.
However, I still hope to record user command history. I just wonder what is the best way to do it.
On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb at redhat.com<mailto:sgrubb at redhat.com>> wrote:
On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> So, if I can't update all kernels (the cost will be very high), is there
> any other way to resolve this issue?
The kernel is what does all the heavy work in the audit system. Auditd only
records to disk, pam_tty_audit and auditctl tell the kernel what they are
interested in. But all the action is in the kernel, not user space.
-Steve
> On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb at redhat.com<mailto:rgb at redhat.com>> wrote:
> > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > Thanks for your reply.
> > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > > wonder whether it supports this feature.
> >
> > The log_passwd feature has not been backported to RHEL5 because the
> > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> > it is not supported in your system.
> >
> > An upgrade is necessary.
> >
> > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb at redhat.com<mailto:rgb at redhat.com>>
> >
> > wrote:
> > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > This is correct. The problem is, this records every keystrokes and
> >
> > even
> >
> > > > > the password of the users. While I only care about the user command
> > > > > history, I surely do not want to know their passwords.
> > > >
> > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > (1.1.8+) to not record passwords by default. If you want the old
> > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > >
> > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >
> > tvaughan at onyxpoint.com<mailto:tvaughan at onyxpoint.com>
> >
> > > > >wrote:
> > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > >
> > > > > > Trevor
> > > > > >
> > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu at gmail.com<mailto:xiumingzhu at gmail.com>>
> > > >
> > > > wrote:
> > > > > >> HI
> > > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > > >> solution for this. I have googled long time. I tried following
> > > >
> > > > options:
> > > > > >> 1. audit execv syscall,
> > > > > >>
> > > > > >> this does record every command typed any tty. However, it
> > > >
> > > > generates
> > > >
> > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
> >
> > called
> >
> > > > that
> > > >
> > > > > >> the system can't afford to log every call of it and it crashes
> > > > > >> !!!
> > > > > >>
> > > > > >> 2. use *pam_tty_audit.so
> > > > > >> *
> > > > > >> this makes it possible to record one or two users, not all users.
> >
> > *
> >
> > > > > >> *
> > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> >
> > other
> >
> > > > > >> tools ?*
> > > > > >>
> > > > > >> *
> > > > > >> *Thanks a lot
> > > > > >
> > > > > > Trevor Vaughan
> > > >
> > > > - RGB
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rbriggs at redhat.com<mailto:rbriggs at redhat.com>>
> > Senior Software Engineer
> > Kernel Security
> > AMER ENG Base Operating Systems
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635<tel:%2B1.647.777.2635>
> > Internal: (81) 32635
> > Alt: +1.613.693.0684x3545<tel:%2B1.613.693.0684x3545>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131009/990c0670/attachment.htm>
More information about the Linux-audit
mailing list