From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: how to use auditd to record all user command history Date: Wed, 09 Oct 2013 17:57:50 -0400 Message-ID: <1880573.oVeE1d5NRY@x2> References: <20131008213326.GD26809@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs List-Id: linux-audit@redhat.com On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote: > So, if I can't update all kernels (the cost will be very high), is there > any other way to resolve this issue? The kernel is what does all the heavy work in the audit system. Auditd only records to disk, pam_tty_audit and auditctl tell the kernel what they are interested in. But all the action is in the kernel, not user space. -Steve > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs wrote: > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote: > > > Thanks for your reply. > > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I > > > wonder whether it supports this feature. > > > > The log_passwd feature has not been backported to RHEL5 because the > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say > > it is not supported in your system. > > > > An upgrade is necessary. > > > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs > > > > wrote: > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote: > > > > > This is correct. The problem is, this records every keystrokes and > > > > even > > > > > > > the password of the users. While I only care about the user command > > > > > history, I surely do not want to know their passwords. > > > > > > > > There is now support in the upstream kernel (3.10-rc1) and in pam > > > > (1.1.8+) to not record passwords by default. If you want the old > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd" > > > > > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan < > > > > tvaughan@onyxpoint.com > > > > > > >wrote: > > > > > > Does pam_tty_audit with enable=* not do what you want? > > > > > > > > > > > > Trevor > > > > > > > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming > > > > > > > > wrote: > > > > > >> HI > > > > > >> I know this seems an old topic. But unfortunately, I can't find a > > > > > >> solution for this. I have googled long time. I tried following > > > > > > > > options: > > > > > >> 1. audit execv syscall, > > > > > >> > > > > > >> this does record every command typed any tty. However, it > > > > > > > > generates > > > > > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently > > > > called > > > > > > that > > > > > > > > > >> the system can't afford to log every call of it and it crashes > > > > > >> !!! > > > > > >> > > > > > >> 2. use *pam_tty_audit.so > > > > > >> * > > > > > >> this makes it possible to record one or two users, not all users. > > > > * > > > > > > > >> * > > > > > >> So, may I ask, is this problem solvable by auditd or do I need > > > > other > > > > > > > >> tools ?* > > > > > >> > > > > > >> * > > > > > >> *Thanks a lot > > > > > > > > > > > > Trevor Vaughan > > > > > > > > - RGB > > > > - RGB > > > > -- > > Richard Guy Briggs > > Senior Software Engineer > > Kernel Security > > AMER ENG Base Operating Systems > > Remote, Ottawa, Canada > > Voice: +1.647.777.2635 > > Internal: (81) 32635 > > Alt: +1.613.693.0684x3545