how to use auditd to record all user command history

how to use auditd to record all user command history

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 579 bytes --]

HI
I know this seems an old topic. But unfortunately, I can't find a solution
for this. I have googled long time. I tried following options:

1. audit execv syscall,
    this does record every command typed any tty. However, it generates
lots of noise.  Sometimes, the execv syscall is so frequently called that
the system can't afford to log every call of it and it crashes !!!

2. use *pam_tty_audit.so
*
this makes it possible to record one or two users, not all users. *
*
So, may I ask, is this problem solvable by auditd or do I need other tools ?
*

*
*Thanks a lot
*
*
*

[-- Attachment #1.2: Type: text/html, Size: 786 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[Trevor Vaughan]

[-- Attachment #1.1: Type: text/plain, Size: 1037 bytes --]

Does pam_tty_audit with enable=* not do what you want?

Trevor


On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:

> HI
> I know this seems an old topic. But unfortunately, I can't find a solution
> for this. I have googled long time. I tried following options:
>
> 1. audit execv syscall,
>     this does record every command typed any tty. However, it generates
> lots of noise.  Sometimes, the execv syscall is so frequently called that
> the system can't afford to log every call of it and it crashes !!!
>
> 2. use *pam_tty_audit.so
> *
> this makes it possible to record one or two users, not all users. *
> *
> So, may I ask, is this problem solvable by auditd or do I need other tools
> ?*
>
> *
> *Thanks a lot
> *
> *
> *
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

[-- Attachment #1.2: Type: text/html, Size: 1765 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 1370 bytes --]

This is correct. The problem is,  this records every keystrokes and even
the password of the users. While I only care about the user command
history, I surely do not want to know their passwords.




On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote:

> Does pam_tty_audit with enable=* not do what you want?
>
> Trevor
>
>
> On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
>
>> HI
>> I know this seems an old topic. But unfortunately, I can't find a
>> solution for this. I have googled long time. I tried following options:
>>
>> 1. audit execv syscall,
>>     this does record every command typed any tty. However, it generates
>> lots of noise.  Sometimes, the execv syscall is so frequently called that
>> the system can't afford to log every call of it and it crashes !!!
>>
>> 2. use *pam_tty_audit.so
>> *
>> this makes it possible to record one or two users, not all users. *
>> *
>> So, may I ask, is this problem solvable by auditd or do I need other
>> tools ?*
>>
>> *
>> *Thanks a lot
>> *
>> *
>> *
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaughan@onyxpoint.com
>
> -- This account not approved for unencrypted proprietary information --
>

[-- Attachment #1.2: Type: text/html, Size: 2659 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[Richard Guy Briggs]

On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> This is correct. The problem is,  this records every keystrokes and even
> the password of the users. While I only care about the user command
> history, I surely do not want to know their passwords.

There is now support in the upstream kernel (3.10-rc1) and in pam
(1.1.8+) to not record passwords by default.  If you want the old
behaviour, add the optional argument to pam_tty_audit: "log_passwd"

> On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote:
> > Does pam_tty_audit with enable=* not do what you want?
> >
> > Trevor
> >
> > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> >
> >> HI
> >> I know this seems an old topic. But unfortunately, I can't find a
> >> solution for this. I have googled long time. I tried following options:
> >>
> >> 1. audit execv syscall,
> >>     this does record every command typed any tty. However, it generates
> >> lots of noise.  Sometimes, the execv syscall is so frequently called that
> >> the system can't afford to log every call of it and it crashes !!!
> >>
> >> 2. use *pam_tty_audit.so
> >> *
> >> this makes it possible to record one or two users, not all users. *
> >> *
> >> So, may I ask, is this problem solvable by auditd or do I need other
> >> tools ?*
> >>
> >> *
> >> *Thanks a lot
> >
> > Trevor Vaughan

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545

Re: how to use auditd to record all user command history

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 1924 bytes --]

Thanks for your reply.
Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
wonder whether it supports this feature.


On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > This is correct. The problem is,  this records every keystrokes and even
> > the password of the users. While I only care about the user command
> > history, I surely do not want to know their passwords.
>
> There is now support in the upstream kernel (3.10-rc1) and in pam
> (1.1.8+) to not record passwords by default.  If you want the old
> behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>
> > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com
> >wrote:
> > > Does pam_tty_audit with enable=* not do what you want?
> > >
> > > Trevor
> > >
> > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> wrote:
> > >
> > >> HI
> > >> I know this seems an old topic. But unfortunately, I can't find a
> > >> solution for this. I have googled long time. I tried following
> options:
> > >>
> > >> 1. audit execv syscall,
> > >>     this does record every command typed any tty. However, it
> generates
> > >> lots of noise.  Sometimes, the execv syscall is so frequently called
> that
> > >> the system can't afford to log every call of it and it crashes !!!
> > >>
> > >> 2. use *pam_tty_audit.so
> > >> *
> > >> this makes it possible to record one or two users, not all users. *
> > >> *
> > >> So, may I ask, is this problem solvable by auditd or do I need other
> > >> tools ?*
> > >>
> > >> *
> > >> *Thanks a lot
> > >
> > > Trevor Vaughan
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545
>

[-- Attachment #1.2: Type: text/html, Size: 2943 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[Richard Guy Briggs]

On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> Thanks for your reply.
> Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> wonder whether it supports this feature.

The log_passwd feature has not been backported to RHEL5 because the
pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
it is not supported in your system.

An upgrade is necessary.

> On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > This is correct. The problem is,  this records every keystrokes and even
> > > the password of the users. While I only care about the user command
> > > history, I surely do not want to know their passwords.
> >
> > There is now support in the upstream kernel (3.10-rc1) and in pam
> > (1.1.8+) to not record passwords by default.  If you want the old
> > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> >
> > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com
> > >wrote:
> > > > Does pam_tty_audit with enable=* not do what you want?
> > > >
> > > > Trevor
> > > >
> > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > wrote:
> > > >
> > > >> HI
> > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > >> solution for this. I have googled long time. I tried following
> > options:
> > > >>
> > > >> 1. audit execv syscall,
> > > >>     this does record every command typed any tty. However, it
> > generates
> > > >> lots of noise.  Sometimes, the execv syscall is so frequently called
> > that
> > > >> the system can't afford to log every call of it and it crashes !!!
> > > >>
> > > >> 2. use *pam_tty_audit.so
> > > >> *
> > > >> this makes it possible to record one or two users, not all users. *
> > > >> *
> > > >> So, may I ask, is this problem solvable by auditd or do I need other
> > > >> tools ?*
> > > >>
> > > >> *
> > > >> *Thanks a lot
> > > >
> > > > Trevor Vaughan
> >
> > - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545

Re: how to use auditd to record all user command history

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 2613 bytes --]

So, if I can't update all kernels (the cost will be very high), is there
any other way to resolve this issue?

thanks a lot


On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > Thanks for your reply.
> > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > wonder whether it supports this feature.
>
> The log_passwd feature has not been backported to RHEL5 because the
> pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> it is not supported in your system.
>
> An upgrade is necessary.
>
> > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > This is correct. The problem is,  this records every keystrokes and
> even
> > > > the password of the users. While I only care about the user command
> > > > history, I surely do not want to know their passwords.
> > >
> > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > (1.1.8+) to not record passwords by default.  If you want the old
> > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > >
> > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> tvaughan@onyxpoint.com
> > > >wrote:
> > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > >
> > > > > Trevor
> > > > >
> > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > > wrote:
> > > > >
> > > > >> HI
> > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > >> solution for this. I have googled long time. I tried following
> > > options:
> > > > >>
> > > > >> 1. audit execv syscall,
> > > > >>     this does record every command typed any tty. However, it
> > > generates
> > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> called
> > > that
> > > > >> the system can't afford to log every call of it and it crashes !!!
> > > > >>
> > > > >> 2. use *pam_tty_audit.so
> > > > >> *
> > > > >> this makes it possible to record one or two users, not all users.
> *
> > > > >> *
> > > > >> So, may I ask, is this problem solvable by auditd or do I need
> other
> > > > >> tools ?*
> > > > >>
> > > > >> *
> > > > >> *Thanks a lot
> > > > >
> > > > > Trevor Vaughan
> > >
> > > - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545
>

[-- Attachment #1.2: Type: text/html, Size: 4001 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[Steve Grubb]

On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> So, if I can't update all kernels (the cost will be very high), is there
> any other way to resolve this issue?

The kernel is what does all the heavy work in the audit system. Auditd only 
records to disk, pam_tty_audit and auditctl tell the kernel what they are 
interested in. But all the action is in the kernel, not user space.

-Steve

> On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > Thanks for your reply.
> > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > > wonder whether it supports this feature.
> > 
> > The log_passwd feature has not been backported to RHEL5 because the
> > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> > it is not supported in your system.
> > 
> > An upgrade is necessary.
> > 
> > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> > 
> > wrote:
> > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > This is correct. The problem is,  this records every keystrokes and
> > 
> > even
> > 
> > > > > the password of the users. While I only care about the user command
> > > > > history, I surely do not want to know their passwords.
> > > > 
> > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > (1.1.8+) to not record passwords by default.  If you want the old
> > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > 
> > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > 
> > tvaughan@onyxpoint.com
> > 
> > > > >wrote:
> > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > 
> > > > > > Trevor
> > > > > > 
> > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > > > 
> > > > wrote:
> > > > > >> HI
> > > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > > >> solution for this. I have googled long time. I tried following
> > > > 
> > > > options:
> > > > > >> 1. audit execv syscall,
> > > > > >> 
> > > > > >>     this does record every command typed any tty. However, it
> > > > 
> > > > generates
> > > > 
> > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> > 
> > called
> > 
> > > > that
> > > > 
> > > > > >> the system can't afford to log every call of it and it crashes
> > > > > >> !!!
> > > > > >> 
> > > > > >> 2. use *pam_tty_audit.so
> > > > > >> *
> > > > > >> this makes it possible to record one or two users, not all users.
> > 
> > *
> > 
> > > > > >> *
> > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > 
> > other
> > 
> > > > > >> tools ?*
> > > > > >> 
> > > > > >> *
> > > > > >> *Thanks a lot
> > > > > > 
> > > > > > Trevor Vaughan
> > > > 
> > > > - RGB
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rbriggs@redhat.com>
> > Senior Software Engineer
> > Kernel Security
> > AMER ENG Base Operating Systems
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635
> > Internal: (81) 32635
> > Alt: +1.613.693.0684x3545

Re: how to use auditd to record all user command history

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 3604 bytes --]

Thanks.
I know the kernel do the most work. So, I can't use pam_tty_audit for our
hosts.

However, I still hope to record user command history. I just wonder what is
the best way to do it.




On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> > So, if I can't update all kernels (the cost will be very high), is there
> > any other way to resolve this issue?
>
> The kernel is what does all the heavy work in the audit system. Auditd only
> records to disk, pam_tty_audit and auditctl tell the kernel what they are
> interested in. But all the action is in the kernel, not user space.
>
> -Steve
>
> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > > Thanks for your reply.
> > > > Currently, our Linux kernel versions are mostly Redhat
> 2.6.18-xxx.el5. I
> > > > wonder whether it supports this feature.
> > >
> > > The log_passwd feature has not been backported to RHEL5 because the
> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
> say
> > > it is not supported in your system.
> > >
> > > An upgrade is necessary.
> > >
> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> > >
> > > wrote:
> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > > This is correct. The problem is,  this records every keystrokes
> and
> > >
> > > even
> > >
> > > > > > the password of the users. While I only care about the user
> command
> > > > > > history, I surely do not want to know their passwords.
> > > > >
> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > > (1.1.8+) to not record passwords by default.  If you want the old
> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > >
> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > >
> > > tvaughan@onyxpoint.com
> > >
> > > > > >wrote:
> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > >
> > > > > > > Trevor
> > > > > > >
> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> xiumingzhu@gmail.com>
> > > > >
> > > > > wrote:
> > > > > > >> HI
> > > > > > >> I know this seems an old topic. But unfortunately, I can't
> find a
> > > > > > >> solution for this. I have googled long time. I tried following
> > > > >
> > > > > options:
> > > > > > >> 1. audit execv syscall,
> > > > > > >>
> > > > > > >>     this does record every command typed any tty. However, it
> > > > >
> > > > > generates
> > > > >
> > > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> > >
> > > called
> > >
> > > > > that
> > > > >
> > > > > > >> the system can't afford to log every call of it and it crashes
> > > > > > >> !!!
> > > > > > >>
> > > > > > >> 2. use *pam_tty_audit.so
> > > > > > >> *
> > > > > > >> this makes it possible to record one or two users, not all
> users.
> > >
> > > *
> > >
> > > > > > >> *
> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > >
> > > other
> > >
> > > > > > >> tools ?*
> > > > > > >>
> > > > > > >> *
> > > > > > >> *Thanks a lot
> > > > > > >
> > > > > > > Trevor Vaughan
> > > > >
> > > > > - RGB
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rbriggs@redhat.com>
> > > Senior Software Engineer
> > > Kernel Security
> > > AMER ENG Base Operating Systems
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635
> > > Internal: (81) 32635
> > > Alt: +1.613.693.0684x3545
>
>

[-- Attachment #1.2: Type: text/html, Size: 5830 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: how to use auditd to record all user command history

[Smith, Gary R]

[-- Attachment #1.1: Type: text/plain, Size: 5974 bytes --]

Hi,

What's the "best way to do it" is dependent on your system.

That said, I can offer two non-audit suggestions.

One I call the "Old Shell Game". Stick this bash code in in the appropriate system wide bash file:

function log

{

typeset x

x=$(history 1 | cut -f 5-)

logger -p daemon.notice -t "$LOGNAME" $PWD "${x#        }"

}

trap log DEBUG

And you get things like this in your syslog:

Apr  8 13:50:51 dr-who root: /root    18  ls -ls /etc/pam.d/*su*
Apr  8 13:51:17 dr-who root: /root    19  ps -ef | grep audit | grep -v grep
Apr  8 13:51:53 dr-who root: /root    20  ps -ef | grep -v root | wc -l
Apr  8 13:52:31 dr-who root: /root    21  ps -ef | grep -v root | sort | more

Is this easy to defeat? Yup. But it will let you get experiment with command logging and see if it's really of any benefit to you.

Another is use the program called "snoopy" available at http://sourceforge.net/projects/snoopylogger/

It uses a little known feature of the Linux loader, namely, LD_PRELOAD.

Once you've got it in place you get output like this:

Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/uname]: uname -a
Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep audit
Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep -v grep

It's not as easy to circumvent as the above bash code. As a suggestion based on experience, don't put snoopy into affect until after the system is up. You really don't want to log all the commands root does in the process of starting up a system.

I hope this helps.

Best regards,

Gary Smith
Information System Security Officer
Pacific Northwest National Laboratory

From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of zhu xiuming
Sent: Wednesday, October 09, 2013 3:11 PM
To: Steve Grubb
Cc: Richard Guy Briggs; Linux-audit@redhat.com
Subject: Re: how to use auditd to record all user command history

Thanks.
I know the kernel do the most work. So, I can't use pam_tty_audit for our hosts.
However, I still hope to record user command history. I just wonder what is the best way to do it.


On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> So, if I can't update all kernels (the cost will be very high), is there
> any other way to resolve this issue?
The kernel is what does all the heavy work in the audit system. Auditd only
records to disk, pam_tty_audit and auditctl tell the kernel what they are
interested in. But all the action is in the kernel, not user space.

-Steve

> On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com<mailto:rgb@redhat.com>> wrote:
> > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > Thanks for your reply.
> > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > > wonder whether it supports this feature.
> >
> > The log_passwd feature has not been backported to RHEL5 because the
> > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> > it is not supported in your system.
> >
> > An upgrade is necessary.
> >
> > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com<mailto:rgb@redhat.com>>
> >
> > wrote:
> > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > This is correct. The problem is,  this records every keystrokes and
> >
> > even
> >
> > > > > the password of the users. While I only care about the user command
> > > > > history, I surely do not want to know their passwords.
> > > >
> > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > (1.1.8+) to not record passwords by default.  If you want the old
> > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > >
> > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >
> > tvaughan@onyxpoint.com<mailto:tvaughan@onyxpoint.com>
> >
> > > > >wrote:
> > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > >
> > > > > > Trevor
> > > > > >
> > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com<mailto:xiumingzhu@gmail.com>>
> > > >
> > > > wrote:
> > > > > >> HI
> > > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > > >> solution for this. I have googled long time. I tried following
> > > >
> > > > options:
> > > > > >> 1. audit execv syscall,
> > > > > >>
> > > > > >>     this does record every command typed any tty. However, it
> > > >
> > > > generates
> > > >
> > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> >
> > called
> >
> > > > that
> > > >
> > > > > >> the system can't afford to log every call of it and it crashes
> > > > > >> !!!
> > > > > >>
> > > > > >> 2. use *pam_tty_audit.so
> > > > > >> *
> > > > > >> this makes it possible to record one or two users, not all users.
> >
> > *
> >
> > > > > >> *
> > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> >
> > other
> >
> > > > > >> tools ?*
> > > > > >>
> > > > > >> *
> > > > > >> *Thanks a lot
> > > > > >
> > > > > > Trevor Vaughan
> > > >
> > > > - RGB
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rbriggs@redhat.com<mailto:rbriggs@redhat.com>>
> > Senior Software Engineer
> > Kernel Security
> > AMER ENG Base Operating Systems
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635<tel:%2B1.647.777.2635>
> > Internal: (81) 32635
> > Alt: +1.613.693.0684x3545<tel:%2B1.613.693.0684x3545>


[-- Attachment #1.2: Type: text/html, Size: 17189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 6993 bytes --]

Thanks a lot.

I think it is better to use audit for me because it is also not so easy to
get a third-party software installed on our hosts.
Maybe I am considering how to scrutinize good audit rules of watching
"execv".

Thanks a lot


On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith@pnnl.gov> wrote:

> Hi,****
>
> ** **
>
> What’s the “best way to do it” is dependent on your system.****
>
> ** **
>
> That said, I can offer two non-audit suggestions.****
>
> ** **
>
> One I call the “Old Shell Game”. Stick this bash code in in the
> appropriate system wide bash file:****
>
> ** **
>
> function log****
>
> ** **
>
> {****
>
> ** **
>
> typeset x****
>
> ** **
>
> x=$(history 1 | cut -f 5-)****
>
> ** **
>
> logger -p daemon.notice -t "$LOGNAME" $PWD "${x#        }"****
>
> ** **
>
> }****
>
> ** **
>
> trap log DEBUG****
>
> ** **
>
> And you get things like this in your syslog:****
>
> ** **
>
> Apr  8 13:50:51 dr-who root: /root    18  ls -ls /etc/pam.d/*su*****
>
> Apr  8 13:51:17 dr-who root: /root    19  ps -ef | grep audit | grep -v
> grep****
>
> Apr  8 13:51:53 dr-who root: /root    20  ps -ef | grep -v root | wc –l **
> **
>
> Apr  8 13:52:31 dr-who root: /root    21  ps -ef | grep -v root | sort |
> more****
>
> ** **
>
> Is this easy to defeat? Yup. But it will let you get experiment with
> command logging and see if it’s really of any benefit to you.****
>
> ** **
>
> Another is use the program called “snoopy” available at
> http://sourceforge.net/projects/snoopylogger/****
>
> ** **
>
> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
> **
>
> ** **
>
> Once you’ve got it in place you get output like this:****
>
> ** **
>
> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/uname]: uname –a****
>
> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/ps]: ps –ef****
>
> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/ps]: ps -ef ****
>
> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
> filename:/bin/grep]: grep audit ****
>
> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
> filename:/bin/grep]: grep -v grep ****
>
> ** **
>
> It’s not as easy to circumvent as the above bash code. As a suggestion
> based on experience, don’t put snoopy into affect until after the system is
> up. You really don’t want to log all the commands root does in the process
> of starting up a system.****
>
> ** **
>
> I hope this helps.****
>
> ** **
>
> Best regards,****
>
> ** **
>
> Gary Smith****
>
> Information System Security Officer****
>
> Pacific Northwest National Laboratory****
>
> ** **
>
> *From:* linux-audit-bounces@redhat.com [mailto:
> linux-audit-bounces@redhat.com] *On Behalf Of *zhu xiuming
> *Sent:* Wednesday, October 09, 2013 3:11 PM
> *To:* Steve Grubb
> *Cc:* Richard Guy Briggs; Linux-audit@redhat.com
> *Subject:* Re: how to use auditd to record all user command history****
>
> ** **
>
> Thanks. ****
>
> I know the kernel do the most work. So, I can't use pam_tty_audit for our
> hosts. ****
>
> However, I still hope to record user command history. I just wonder what
> is the best way to do it.
>
> ****
>
> ** **
>
> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:****
>
> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> > So, if I can't update all kernels (the cost will be very high), is there
> > any other way to resolve this issue?****
>
> The kernel is what does all the heavy work in the audit system. Auditd only
> records to disk, pam_tty_audit and auditctl tell the kernel what they are
> interested in. But all the action is in the kernel, not user space.
>
> -Steve****
>
>
> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > > Thanks for your reply.
> > > > Currently, our Linux kernel versions are mostly Redhat
> 2.6.18-xxx.el5. I
> > > > wonder whether it supports this feature.
> > >
> > > The log_passwd feature has not been backported to RHEL5 because the
> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
> say
> > > it is not supported in your system.
> > >
> > > An upgrade is necessary.
> > >
> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> > >
> > > wrote:
> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > > This is correct. The problem is,  this records every keystrokes
> and
> > >
> > > even
> > >
> > > > > > the password of the users. While I only care about the user
> command
> > > > > > history, I surely do not want to know their passwords.
> > > > >
> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > > (1.1.8+) to not record passwords by default.  If you want the old
> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > >
> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > >
> > > tvaughan@onyxpoint.com
> > >
> > > > > >wrote:
> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > >
> > > > > > > Trevor
> > > > > > >
> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> xiumingzhu@gmail.com>
> > > > >
> > > > > wrote:
> > > > > > >> HI
> > > > > > >> I know this seems an old topic. But unfortunately, I can't
> find a
> > > > > > >> solution for this. I have googled long time. I tried following
> > > > >
> > > > > options:
> > > > > > >> 1. audit execv syscall,
> > > > > > >>
> > > > > > >>     this does record every command typed any tty. However, it
> > > > >
> > > > > generates
> > > > >
> > > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
> > >
> > > called
> > >
> > > > > that
> > > > >
> > > > > > >> the system can't afford to log every call of it and it crashes
> > > > > > >> !!!
> > > > > > >>
> > > > > > >> 2. use *pam_tty_audit.so
> > > > > > >> *
> > > > > > >> this makes it possible to record one or two users, not all
> users.
> > >
> > > *
> > >
> > > > > > >> *
> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > >
> > > other
> > >
> > > > > > >> tools ?*
> > > > > > >>
> > > > > > >> *
> > > > > > >> *Thanks a lot
> > > > > > >
> > > > > > > Trevor Vaughan
> > > > >
> > > > > - RGB
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rbriggs@redhat.com>
> > > Senior Software Engineer
> > > Kernel Security
> > > AMER ENG Base Operating Systems
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635
> > > Internal: (81) 32635
> > > Alt: +1.613.693.0684x3545****
>
> ** **
>

[-- Attachment #1.2: Type: text/html, Size: 17596 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: how to use auditd to record all user command history

[Aschu]

Sent from Huawei Mobile

zhu xiuming <xiumingzhu@gmail.com> wrote:

>Thanks a lot.
>
>I think it is better to use audit for me because it is also not so easy to
>get a third-party software installed on our hosts.
>Maybe I am considering how to scrutinize good audit rules of watching
>"execv".
>
>Thanks a lot
>
>
>On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith@pnnl.gov> wrote:
>
>> Hi,****
>>
>> ** **
>>
>> What’s the “best way to do it” is dependent on your system.****
>>
>> ** **
>>
>> That said, I can offer two non-audit suggestions.****
>>
>> ** **
>>
>> One I call the “Old Shell Game”. Stick this bash code in in the
>> appropriate system wide bash file:****
>>
>> ** **
>>
>> function log****
>>
>> ** **
>>
>> {****
>>
>> ** **
>>
>> typeset x****
>>
>> ** **
>>
>> x=$(history 1 | cut -f 5-)****
>>
>> ** **
>>
>> logger -p daemon.notice -t "$LOGNAME" $PWD "${x#        }"****
>>
>> ** **
>>
>> }****
>>
>> ** **
>>
>> trap log DEBUG****
>>
>> ** **
>>
>> And you get things like this in your syslog:****
>>
>> ** **
>>
>> Apr  8 13:50:51 dr-who root: /root    18  ls -ls /etc/pam.d/*su*****
>>
>> Apr  8 13:51:17 dr-who root: /root    19  ps -ef | grep audit | grep -v
>> grep****
>>
>> Apr  8 13:51:53 dr-who root: /root    20  ps -ef | grep -v root | wc –l **
>> **
>>
>> Apr  8 13:52:31 dr-who root: /root    21  ps -ef | grep -v root | sort |
>> more****
>>
>> ** **
>>
>> Is this easy to defeat? Yup. But it will let you get experiment with
>> command logging and see if it’s really of any benefit to you.****
>>
>> ** **
>>
>> Another is use the program called “snoopy” available at
>> http://sourceforge.net/projects/snoopylogger/****
>>
>> ** **
>>
>> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
>> **
>>
>> ** **
>>
>> Once you’ve got it in place you get output like this:****
>>
>> ** **
>>
>> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/uname]: uname –a****
>>
>> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps –ef****
>>
>> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps -ef ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep audit ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep -v grep ****
>>
>> ** **
>>
>> It’s not as easy to circumvent as the above bash code. As a suggestion
>> based on experience, don’t put snoopy into affect until after the system is
>> up. You really don’t want to log all the commands root does in the process
>> of starting up a system.****
>>
>> ** **
>>
>> I hope this helps.****
>>
>> ** **
>>
>> Best regards,****
>>
>> ** **
>>
>> Gary Smith****
>>
>> Information System Security Officer****
>>
>> Pacific Northwest National Laboratory****
>>
>> ** **
>>
>> *From:* linux-audit-bounces@redhat.com [mailto:
>> linux-audit-bounces@redhat.com] *On Behalf Of *zhu xiuming
>> *Sent:* Wednesday, October 09, 2013 3:11 PM
>> *To:* Steve Grubb
>> *Cc:* Richard Guy Briggs; Linux-audit@redhat.com
>> *Subject:* Re: how to use auditd to record all user command history****
>>
>> ** **
>>
>> Thanks. ****
>>
>> I know the kernel do the most work. So, I can't use pam_tty_audit for our
>> hosts. ****
>>
>> However, I still hope to record user command history. I just wonder what
>> is the best way to do it.
>>
>> ****
>>
>> ** **
>>
>> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:****
>>
>> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
>> > So, if I can't update all kernels (the cost will be very high), is there
>> > any other way to resolve this issue?****
>>
>> The kernel is what does all the heavy work in the audit system. Auditd only
>> records to disk, pam_tty_audit and auditctl tell the kernel what they are
>> interested in. But all the action is in the kernel, not user space.
>>
>> -Steve****
>>
>>
>> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com>
>> wrote:
>> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
>> > > > Thanks for your reply.
>> > > > Currently, our Linux kernel versions are mostly Redhat
>> 2.6.18-xxx.el5. I
>> > > > wonder whether it supports this feature.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because the
>> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is,  this records every keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
>> > > > > (1.1.8+) to not record passwords by default.  If you want the old
>> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan@onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu@gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >>     this does record every command typed any tty. However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise.  Sometimes, the execv syscall is so frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it crashes
>> > > > > > >> !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs@redhat.com>
>> > > Senior Software Engineer
>> > > Kernel Security
>> > > AMER ENG Base Operating Systems
>> > > Remote, Ottawa, Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

RE: how to use auditd to record all user command history

[Shinoj Gangadharan]

Hi,

Has the log_passwd feature been backported to RHEL6.4 ?

Regards,
Shinoj.

>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because
>> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
>> > > have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
>> > > > <rgb@redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is,  this records every
>> > > > > > keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in
>> > > > > pam
>> > > > > (1.1.8+) to not record passwords by default.  If you want the
>> > > > > old behaviour, add the optional argument to pam_tty_audit:
>> > > > > "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan@onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu@gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I
>> > > > > > >> can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried
>> > > > > > >> following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >>     this does record every command typed any tty.
>> > > > > > >> However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise.  Sometimes, the execv syscall is so
>> > > > > > >> frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it
>> > > > > > >> crashes !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not
>> > > > > > >> all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do
>> > > > > > >> I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer
>> > > Kernel Security AMER ENG Base Operating Systems Remote, Ottawa,
>> > > Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: how to use auditd to record all user command history

[Steve Grubb]

On Tuesday, October 29, 2013 02:03:48 PM Shinoj Gangadharan wrote:
> Has the log_passwd feature been backported to RHEL6.4

We cannot backport to already released versions. it would have to be a future 
release. The best way to get this in RHEL6 is to contact your support 
representative and ask for this feature.

-Steve

Re: how to use auditd to record all user command history

[Richard Guy Briggs]

On Tue, Oct 29, 2013 at 02:03:48PM +0530, Shinoj Gangadharan wrote:
> Hi,
> 
> Has the log_passwd feature been backported to RHEL6.4 ?

No.  It is part of RHEL6.5.  My understanding is the kernel part should
work with RHEL6.4, but it will break the RHEL6.4 pam_tty_audit module of
pam (which needs to be updated anyways to get the new feature to work).
I can't speak to the ease of upgrading pam to the RHEL6.5 version while
still running essentially a RHEL6.4 system.

> Regards,
> Shinoj.
> 
> >> > >
> >> > > The log_passwd feature has not been backported to RHEL5 because
> >> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
> >> > > have to say it is not supported in your system.
> >> > >
> >> > > An upgrade is necessary.
> >> > >
> >> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
> >> > > > <rgb@redhat.com>
> >> > >
> >> > > wrote:
> >> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> >> > > > > > This is correct. The problem is,  this records every
> >> > > > > > keystrokes and even the password of the users. While I
> >> > > > > > only care about the user command history, I surely do not
> >> > > > > > want to know their passwords.
> >> > > > >
> >> > > > > There is now support in the upstream kernel (3.10-rc1) and
> >> > > > > in pam (1.1.8+) to not record passwords by default.  If you
> >> > > > > want the old behaviour, add the optional argument to
> >> > > > > pam_tty_audit: "log_passwd"
> >> > > > >
> >> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >> > >
> >> > > tvaughan@onyxpoint.com
> >> > >
> >> > > > > >wrote:
> >> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> >> > > > > > >
> >> > > > > > > Trevor
> >> > > > > > >
> >> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> >> xiumingzhu@gmail.com>
> >> > > > >
> >> > > > > wrote:
> >> > > > > > >> HI
> >> > > > > > >> I know this seems an old topic. But unfortunately, I
> >> > > > > > >> can't find a solution for this. I have googled long
> >> > > > > > >> time. I tried following options:
> >> > > > > > >> 1. audit execv syscall,
> >> > > > > > >>
> >> > > > > > >>     this does record every command typed any tty.
> >> > > > > > >> However, it generates lots of noise.  Sometimes, the
> >> > > > > > >> execv syscall is so frequently called that the system
> >> > > > > > >> can't afford to log every call of it and it crashes
> >> > > > > > >> !!!
> >> > > > > > >>
> >> > > > > > >> 2. use *pam_tty_audit.so
> >> > > > > > >> *
> >> > > > > > >> this makes it possible to record one or two users, not
> >> > > > > > >> all users.
> >> > > > > > >> So, may I ask, is this problem solvable by auditd or
> >> > > > > > >> do I need other tools ?*
> >> > > > > > >
> >> > > > > > > Trevor Vaughan
> >> > > > >
> >> > > > > - RGB
> >> > >
> >> > > - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545

Re: how to use auditd to record all user command history

[shawn wilson]

On Mon, Oct 7, 2013 at 1:30 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> This is correct. The problem is,  this records every keystrokes and even the
> password of the users. While I only care about the user command history, I
> surely do not want to know their passwords.
>

There is another problem - users without a tty will be able to type
commands that aren't loged (hence not a full solution). A test case
for this is:
ssh host ls

>
>
>
> On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com>
> wrote:
>>
>> Does pam_tty_audit with enable=* not do what you want?
>>
>> Trevor
>>
>>
>> On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
>>>
>>> HI
>>> I know this seems an old topic. But unfortunately, I can't find a
>>> solution for this. I have googled long time. I tried following options:
>>>
>>> 1. audit execv syscall,
>>>     this does record every command typed any tty. However, it generates
>>> lots of noise.  Sometimes, the execv syscall is so frequently called that
>>> the system can't afford to log every call of it and it crashes !!!
>>>
>>> 2. use pam_tty_audit.so
>>> this makes it possible to record one or two users, not all users.
>>>
>>> So, may I ask, is this problem solvable by auditd or do I need other
>>> tools ?
>>>
>>> Thanks a lot
>>>
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>> --
>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699
>> tvaughan@onyxpoint.com
>>
>> -- This account not approved for unencrypted proprietary information --
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit