pam_tty_audit bi-directional logging

pam_tty_audit bi-directional logging

[Tracy Reed]

[-- Attachment #1.1: Type: text/plain, Size: 497 bytes --]

Is there any way to make pam_tty_audit log not only what the user types but
also what the server sends back? Due to regulatory requirements We are
currently having to use proprietary, kludgy, unreliable bastion host
"solutions" to get full session logging. It seems like pam_tty_audit, being in
the tty layer, would have access to everything going through the tty both send
and receive but it looks like only commands typed are logged. Am I missing
something?

Thanks!

-- 
Tracy Reed

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: pam_tty_audit bi-directional logging

[Miloslav Trmač]

----- Original Message -----
> Is there any way to make pam_tty_audit log not only what the user types but
> also what the server sends back?
No, this is currently not possible.
    Mirek

Re: pam_tty_audit bi-directional logging

[Steve Grubb]

On Friday, June 07, 2013 06:48:18 PM Miloslav Trmač wrote:
> ----- Original Message -----
> 
> > Is there any way to make pam_tty_audit log not only what the user types
> > but
> > also what the server sends back?
> 
> No, this is currently not possible.

Impossible as in 1) what is already shipped can't do this, or 2) no amount of 
code being added to the kernel can do this, or 3) for upstream political 
reasons?

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: pam_tty_audit bi-directional logging

[Miloslav Trmač]

----- Original Message -----
> On Friday, June 07, 2013 06:48:18 PM Miloslav Trmač wrote:
> > ----- Original Message -----
> > 
> > > Is there any way to make pam_tty_audit log not only what the user types
> > > but
> > > also what the server sends back?
> > 
> > No, this is currently not possible.
> 
> Impossible as in 1) what is already shipped can't do this, or 2) no amount of
> code being added to the kernel can do this, or 3) for upstream political
> reasons?

Primarily 1), also
4) auditing output is a little more difficult because it's much more common to have a _lot_ of output (e.g. (find -name '*.c')), so TTY auditing should probably be able to throttle the TTY throughput.  (In principle the same problem is with input as well - with a PTY I can cause massive amount of data to be audited - but it doesn't occur accidentally.)
    Mirek

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: pam_tty_audit bi-directional logging

[Steve Grubb]

On Monday, June 10, 2013 11:48:15 AM Miloslav Trmač wrote:
> > > > Is there any way to make pam_tty_audit log not only what the user
> > > > types but also what the server sends back?
> > > 
> > > No, this is currently not possible.
> > 
> > Impossible as in 1) what is already shipped can't do this, or 2) no amount
> > of code being added to the kernel can do this, or 3) for upstream
> > political reasons?
> 
> Primarily 1), also
> 4) auditing output is a little more difficult because it's much more common
> to have a _lot_ of output (e.g. (find -name '*.c')), so TTY auditing should
> probably be able to throttle the TTY throughput.  (In principle the same
> problem is with input as well - with a PTY I can cause massive amount of
> data to be audited - but it doesn't occur accidentally.)

Probably would need to escape/drop all the control characters, too, so report 
display terminal doesn't get hijacked. :-)  But yes, I could see someone 
DoS'ing the machine easily now that you mention it.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit