how to use auditd to record all user command history

Aschu hailemariyamaschalew at gmail.com
Sun Oct 20 01:03:03 UTC 2013 

Sent from Huawei Mobile

zhu xiuming <xiumingzhu at gmail.com> wrote:

>Thanks a lot.
>
>I think it is better to use audit for me because it is also not so easy to
>get a third-party software installed on our hosts.
>Maybe I am considering how to scrutinize good audit rules of watching
>"execv".
>
>Thanks a lot
>
>
>On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith at pnnl.gov> wrote:
>
>> Hi,****
>>
>> ** **
>>
>> What’s the “best way to do it” is dependent on your system.****
>>
>> ** **
>>
>> That said, I can offer two non-audit suggestions.****
>>
>> ** **
>>
>> One I call the “Old Shell Game”. Stick this bash code in in the
>> appropriate system wide bash file:****
>>
>> ** **
>>
>> function log****
>>
>> ** **
>>
>> {****
>>
>> ** **
>>
>> typeset x****
>>
>> ** **
>>
>> x=$(history 1 | cut -f 5-)****
>>
>> ** **
>>
>> logger -p daemon.notice -t "$LOGNAME" $PWD "${x#        }"****
>>
>> ** **
>>
>> }****
>>
>> ** **
>>
>> trap log DEBUG****
>>
>> ** **
>>
>> And you get things like this in your syslog:****
>>
>> ** **
>>
>> Apr  8 13:50:51 dr-who root: /root    18  ls -ls /etc/pam.d/*su*****
>>
>> Apr  8 13:51:17 dr-who root: /root    19  ps -ef | grep audit | grep -v
>> grep****
>>
>> Apr  8 13:51:53 dr-who root: /root    20  ps -ef | grep -v root | wc –l **
>> **
>>
>> Apr  8 13:52:31 dr-who root: /root    21  ps -ef | grep -v root | sort |
>> more****
>>
>> ** **
>>
>> Is this easy to defeat? Yup. But it will let you get experiment with
>> command logging and see if it’s really of any benefit to you.****
>>
>> ** **
>>
>> Another is use the program called “snoopy” available at
>> http://sourceforge.net/projects/snoopylogger/****
>>
>> ** **
>>
>> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
>> **
>>
>> ** **
>>
>> Once you’ve got it in place you get output like this:****
>>
>> ** **
>>
>> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/uname]: uname –a****
>>
>> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps –ef****
>>
>> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps -ef ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep audit ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep -v grep ****
>>
>> ** **
>>
>> It’s not as easy to circumvent as the above bash code. As a suggestion
>> based on experience, don’t put snoopy into affect until after the system is
>> up. You really don’t want to log all the commands root does in the process
>> of starting up a system.****
>>
>> ** **
>>
>> I hope this helps.****
>>
>> ** **
>>
>> Best regards,****
>>
>> ** **
>>
>> Gary Smith****
>>
>> Information System Security Officer****
>>
>> Pacific Northwest National Laboratory****
>>
>> ** **
>>
>> *From:* linux-audit-bounces at redhat.com [mailto:
>> linux-audit-bounces at redhat.com] *On Behalf Of *zhu xiuming
>> *Sent:* Wednesday, October 09, 2013 3:11 PM
>> *To:* Steve Grubb
>> *Cc:* Richard Guy Briggs; Linux-audit at redhat.com
>> *Subject:* Re: how to use auditd to record all user command history****
>>
>> ** **
>>
>> Thanks. ****
>>
>> I know the kernel do the most work. So, I can't use pam_tty_audit for our
>> hosts. ****
>>
>> However, I still hope to record user command history. I just wonder what
>> is the best way to do it.
>>
>> ****
>>
>> ** **
>>
>> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb at redhat.com> wrote:****
>>
>> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
>> > So, if I can't update all kernels (the cost will be very high), is there
>> > any other way to resolve this issue?****
>>
>> The kernel is what does all the heavy work in the audit system. Auditd only
>> records to disk, pam_tty_audit and auditctl tell the kernel what they are
>> interested in. But all the action is in the kernel, not user space.
>>
>> -Steve****
>>
>>
>> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb at redhat.com>
>> wrote:
>> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
>> > > > Thanks for your reply.
>> > > > Currently, our Linux kernel versions are mostly Redhat
>> 2.6.18-xxx.el5. I
>> > > > wonder whether it supports this feature.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because the
>> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb at redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is,  this records every keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
>> > > > > (1.1.8+) to not record passwords by default.  If you want the old
>> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan at onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu at gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >>     this does record every command typed any tty. However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it crashes
>> > > > > > >> !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs at redhat.com>
>> > > Senior Software Engineer
>> > > Kernel Security
>> > > AMER ENG Base Operating Systems
>> > > Remote, Ottawa, Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit at redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list