how to use auditd to record all user command history

Richard Guy Briggs rgb at redhat.com
Tue Oct 29 13:05:32 UTC 2013 

On Tue, Oct 29, 2013 at 02:03:48PM +0530, Shinoj Gangadharan wrote:
> Hi,
> 
> Has the log_passwd feature been backported to RHEL6.4 ?

No.  It is part of RHEL6.5.  My understanding is the kernel part should
work with RHEL6.4, but it will break the RHEL6.4 pam_tty_audit module of
pam (which needs to be updated anyways to get the new feature to work).
I can't speak to the ease of upgrading pam to the RHEL6.5 version while
still running essentially a RHEL6.4 system.

> Regards,
> Shinoj.
> 
> >> > >
> >> > > The log_passwd feature has not been backported to RHEL5 because
> >> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
> >> > > have to say it is not supported in your system.
> >> > >
> >> > > An upgrade is necessary.
> >> > >
> >> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
> >> > > > <rgb at redhat.com>
> >> > >
> >> > > wrote:
> >> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> >> > > > > > This is correct. The problem is,  this records every
> >> > > > > > keystrokes and even the password of the users. While I
> >> > > > > > only care about the user command history, I surely do not
> >> > > > > > want to know their passwords.
> >> > > > >
> >> > > > > There is now support in the upstream kernel (3.10-rc1) and
> >> > > > > in pam (1.1.8+) to not record passwords by default.  If you
> >> > > > > want the old behaviour, add the optional argument to
> >> > > > > pam_tty_audit: "log_passwd"
> >> > > > >
> >> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >> > >
> >> > > tvaughan at onyxpoint.com
> >> > >
> >> > > > > >wrote:
> >> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> >> > > > > > >
> >> > > > > > > Trevor
> >> > > > > > >
> >> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> >> xiumingzhu at gmail.com>
> >> > > > >
> >> > > > > wrote:
> >> > > > > > >> HI
> >> > > > > > >> I know this seems an old topic. But unfortunately, I
> >> > > > > > >> can't find a solution for this. I have googled long
> >> > > > > > >> time. I tried following options:
> >> > > > > > >> 1. audit execv syscall,
> >> > > > > > >>
> >> > > > > > >>     this does record every command typed any tty.
> >> > > > > > >> However, it generates lots of noise.  Sometimes, the
> >> > > > > > >> execv syscall is so frequently called that the system
> >> > > > > > >> can't afford to log every call of it and it crashes
> >> > > > > > >> !!!
> >> > > > > > >>
> >> > > > > > >> 2. use *pam_tty_audit.so
> >> > > > > > >> *
> >> > > > > > >> this makes it possible to record one or two users, not
> >> > > > > > >> all users.
> >> > > > > > >> So, may I ask, is this problem solvable by auditd or
> >> > > > > > >> do I need other tools ?*
> >> > > > > > >
> >> > > > > > > Trevor Vaughan
> >> > > > >
> >> > > > > - RGB
> >> > >
> >> > > - RGB

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list