how to use auditd to record all user command history
shawn wilson
ag4ve.us at gmail.com
Tue Oct 29 14:56:29 UTC 2013
On Mon, Oct 7, 2013 at 1:30 PM, zhu xiuming <xiumingzhu at gmail.com> wrote:
> This is correct. The problem is, this records every keystrokes and even the
> password of the users. While I only care about the user command history, I
> surely do not want to know their passwords.
>
There is another problem - users without a tty will be able to type
commands that aren't loged (hence not a full solution). A test case
for this is:
ssh host ls
>
>
>
> On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan at onyxpoint.com>
> wrote:
>>
>> Does pam_tty_audit with enable=* not do what you want?
>>
>> Trevor
>>
>>
>> On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu at gmail.com> wrote:
>>>
>>> HI
>>> I know this seems an old topic. But unfortunately, I can't find a
>>> solution for this. I have googled long time. I tried following options:
>>>
>>> 1. audit execv syscall,
>>> this does record every command typed any tty. However, it generates
>>> lots of noise. Sometimes, the execv syscall is so frequently called that
>>> the system can't afford to log every call of it and it crashes !!!
>>>
>>> 2. use pam_tty_audit.so
>>> this makes it possible to record one or two users, not all users.
>>>
>>> So, may I ask, is this problem solvable by auditd or do I need other
>>> tools ?
>>>
>>> Thanks a lot
>>>
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit at redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>> --
>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699
>> tvaughan at onyxpoint.com
>>
>> -- This account not approved for unencrypted proprietary information --
>
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list