how to use auditd to record all user command history

zhu xiuming xiumingzhu at gmail.com
Wed Oct 9 23:56:30 UTC 2013 

Thanks a lot.

I think it is better to use audit for me because it is also not so easy to
get a third-party software installed on our hosts.
Maybe I am considering how to scrutinize good audit rules of watching
"execv".

Thanks a lot


On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith at pnnl.gov> wrote:

> Hi,****
>
> ** **
>
> What’s the “best way to do it” is dependent on your system.****
>
> ** **
>
> That said, I can offer two non-audit suggestions.****
>
> ** **
>
> One I call the “Old Shell Game”. Stick this bash code in in the
> appropriate system wide bash file:****
>
> ** **
>
> function log****
>
> ** **
>
> {****
>
> ** **
>
> typeset x****
>
> ** **
>
> x=$(history 1 | cut -f 5-)****
>
> ** **
>
> logger -p daemon.notice -t "$LOGNAME" $PWD "${x#        }"****
>
> ** **
>
> }****
>
> ** **
>
> trap log DEBUG****
>
> ** **
>
> And you get things like this in your syslog:****
>
> ** **
>
> Apr  8 13:50:51 dr-who root: /root    18  ls -ls /etc/pam.d/*su*****
>
> Apr  8 13:51:17 dr-who root: /root    19  ps -ef | grep audit | grep -v
> grep****
>
> Apr  8 13:51:53 dr-who root: /root    20  ps -ef | grep -v root | wc –l **
> **
>
> Apr  8 13:52:31 dr-who root: /root    21  ps -ef | grep -v root | sort |
> more****
>
> ** **
>
> Is this easy to defeat? Yup. But it will let you get experiment with
> command logging and see if it’s really of any benefit to you.****
>
> ** **
>
> Another is use the program called “snoopy” available at
> http://sourceforge.net/projects/snoopylogger/****
>
> ** **
>
> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
> **
>
> ** **
>
> Once you’ve got it in place you get output like this:****
>
> ** **
>
> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/uname]: uname –a****
>
> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/ps]: ps –ef****
>
> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/ps]: ps -ef ****
>
> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
> filename:/bin/grep]: grep audit ****
>
> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
> filename:/bin/grep]: grep -v grep ****
>
> ** **
>
> It’s not as easy to circumvent as the above bash code. As a suggestion
> based on experience, don’t put snoopy into affect until after the system is
> up. You really don’t want to log all the commands root does in the process
> of starting up a system.****
>
> ** **
>
> I hope this helps.****
>
> ** **
>
> Best regards,****
>
> ** **
>
> Gary Smith****
>
> Information System Security Officer****
>
> Pacific Northwest National Laboratory****
>
> ** **
>
> *From:* linux-audit-bounces at redhat.com [mailto:
> linux-audit-bounces at redhat.com] *On Behalf Of *zhu xiuming
> *Sent:* Wednesday, October 09, 2013 3:11 PM
> *To:* Steve Grubb
> *Cc:* Richard Guy Briggs; Linux-audit at redhat.com
> *Subject:* Re: how to use auditd to record all user command history****
>
> ** **
>
> Thanks. ****
>
> I know the kernel do the most work. So, I can't use pam_tty_audit for our
> hosts. ****
>
> However, I still hope to record user command history. I just wonder what
> is the best way to do it.
>
> ****
>
> ** **
>
> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb at redhat.com> wrote:****
>
> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> > So, if I can't update all kernels (the cost will be very high), is there
> > any other way to resolve this issue?****
>
> The kernel is what does all the heavy work in the audit system. Auditd only
> records to disk, pam_tty_audit and auditctl tell the kernel what they are
> interested in. But all the action is in the kernel, not user space.
>
> -Steve****
>
>
> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb at redhat.com>
> wrote:
> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > > Thanks for your reply.
> > > > Currently, our Linux kernel versions are mostly Redhat
> 2.6.18-xxx.el5. I
> > > > wonder whether it supports this feature.
> > >
> > > The log_passwd feature has not been backported to RHEL5 because the
> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
> say
> > > it is not supported in your system.
> > >
> > > An upgrade is necessary.
> > >
> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb at redhat.com>
> > >
> > > wrote:
> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > > This is correct. The problem is,  this records every keystrokes
> and
> > >
> > > even
> > >
> > > > > > the password of the users. While I only care about the user
> command
> > > > > > history, I surely do not want to know their passwords.
> > > > >
> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > > (1.1.8+) to not record passwords by default.  If you want the old
> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > >
> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > >
> > > tvaughan at onyxpoint.com
> > >
> > > > > >wrote:
> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > >
> > > > > > > Trevor
> > > > > > >
> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> xiumingzhu at gmail.com>
> > > > >
> > > > > wrote:
> > > > > > >> HI
> > > > > > >> I know this seems an old topic. But unfortunately, I can't
> find a
> > > > > > >> solution for this. I have googled long time. I tried following
> > > > >
> > > > > options:
> > > > > > >> 1. audit execv syscall,
> > > > > > >>
> > > > > > >>     this does record every command typed any tty. However, it
> > > > >
> > > > > generates
> > > > >
> > > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> > >
> > > called
> > >
> > > > > that
> > > > >
> > > > > > >> the system can't afford to log every call of it and it crashes
> > > > > > >> !!!
> > > > > > >>
> > > > > > >> 2. use *pam_tty_audit.so
> > > > > > >> *
> > > > > > >> this makes it possible to record one or two users, not all
> users.
> > >
> > > *
> > >
> > > > > > >> *
> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > >
> > > other
> > >
> > > > > > >> tools ?*
> > > > > > >>
> > > > > > >> *
> > > > > > >> *Thanks a lot
> > > > > > >
> > > > > > > Trevor Vaughan
> > > > >
> > > > > - RGB
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rbriggs at redhat.com>
> > > Senior Software Engineer
> > > Kernel Security
> > > AMER ENG Base Operating Systems
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635
> > > Internal: (81) 32635
> > > Alt: +1.613.693.0684x3545****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131009/052777a1/attachment.htm>

More information about the Linux-audit mailing list