From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: how to use auditd to record all user command history
Date: Tue, 8 Oct 2013 17:33:26 -0400
Message-ID: <20131008213326.GD26809@madcap2.tricolour.ca>
References: <CAP6dAmfsUEOPaZx-3wO-nFMRDkajdUDy9zPizab_w-zHugJyqg@mail.gmail.com>
	<CANs+FoXSu=4ACFFPr+sFip4OHqwMf=NoF2G+1FQKRrm3mxa0Ew@mail.gmail.com>
	<CAP6dAmdD8rvexEoQwQ9t_O=Jit=SmA6jXQuBkMh4M9Uj3LwmHA@mail.gmail.com>
	<20131008031326.GC26809@madcap2.tricolour.ca>
	<CAP6dAmc2iS8NqLVPCoaBEB_+pwj+Eqh+spqYt=LLq18m5w0cYw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <CAP6dAmc2iS8NqLVPCoaBEB_+pwj+Eqh+spqYt=LLq18m5w0cYw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: zhu xiuming <xiumingzhu@gmail.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> Thanks for your reply.
> Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> wonder whether it supports this feature.

The log_passwd feature has not been backported to RHEL5 because the
pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
it is not supported in your system.

An upgrade is necessary.

> On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > This is correct. The problem is,  this records every keystrokes and even
> > > the password of the users. While I only care about the user command
> > > history, I surely do not want to know their passwords.
> >
> > There is now support in the upstream kernel (3.10-rc1) and in pam
> > (1.1.8+) to not record passwords by default.  If you want the old
> > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> >
> > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com
> > >wrote:
> > > > Does pam_tty_audit with enable=* not do what you want?
> > > >
> > > > Trevor
> > > >
> > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > wrote:
> > > >
> > > >> HI
> > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > >> solution for this. I have googled long time. I tried following
> > options:
> > > >>
> > > >> 1. audit execv syscall,
> > > >>     this does record every command typed any tty. However, it
> > generates
> > > >> lots of noise.  Sometimes, the execv syscall is so frequently called
> > that
> > > >> the system can't afford to log every call of it and it crashes !!!
> > > >>
> > > >> 2. use *pam_tty_audit.so
> > > >> *
> > > >> this makes it possible to record one or two users, not all users. *
> > > >> *
> > > >> So, may I ask, is this problem solvable by auditd or do I need other
> > > >> tools ?*
> > > >>
> > > >> *
> > > >> *Thanks a lot
> > > >
> > > > Trevor Vaughan
> >
> > - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545