Re: how to use auditd to record all user command history

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> So, if I can't update all kernels (the cost will be very high), is there
> any other way to resolve this issue?

The kernel is what does all the heavy work in the audit system. Auditd only 
records to disk, pam_tty_audit and auditctl tell the kernel what they are 
interested in. But all the action is in the kernel, not user space.

-Steve

> On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > Thanks for your reply.
> > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > > wonder whether it supports this feature.
> > 
> > The log_passwd feature has not been backported to RHEL5 because the
> > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> > it is not supported in your system.
> > 
> > An upgrade is necessary.
> > 
> > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> > 
> > wrote:
> > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > This is correct. The problem is,  this records every keystrokes and
> > 
> > even
> > 
> > > > > the password of the users. While I only care about the user command
> > > > > history, I surely do not want to know their passwords.
> > > > 
> > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > (1.1.8+) to not record passwords by default.  If you want the old
> > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > 
> > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > 
> > tvaughan@onyxpoint.com
> > 
> > > > >wrote:
> > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > 
> > > > > > Trevor
> > > > > > 
> > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > > > 
> > > > wrote:
> > > > > >> HI
> > > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > > >> solution for this. I have googled long time. I tried following
> > > > 
> > > > options:
> > > > > >> 1. audit execv syscall,
> > > > > >> 
> > > > > >>     this does record every command typed any tty. However, it
> > > > 
> > > > generates
> > > > 
> > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> > 
> > called
> > 
> > > > that
> > > > 
> > > > > >> the system can't afford to log every call of it and it crashes
> > > > > >> !!!
> > > > > >> 
> > > > > >> 2. use *pam_tty_audit.so
> > > > > >> *
> > > > > >> this makes it possible to record one or two users, not all users.
> > 
> > *
> > 
> > > > > >> *
> > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > 
> > other
> > 
> > > > > >> tools ?*
> > > > > >> 
> > > > > >> *
> > > > > >> *Thanks a lot
> > > > > > 
> > > > > > Trevor Vaughan
> > > > 
> > > > - RGB
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rbriggs@redhat.com>
> > Senior Software Engineer
> > Kernel Security
> > AMER ENG Base Operating Systems
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635
> > Internal: (81) 32635
> > Alt: +1.613.693.0684x3545