From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: how to use auditd to record all user command history Date: Tue, 29 Oct 2013 09:05:32 -0400 Message-ID: <20131029130532.GF5059@madcap2.tricolour.ca> References: <22uxpx58vws7pxucv9lx1wqx.1382230983805@email.android.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Shinoj Gangadharan Cc: "Linux-audit@redhat.com" , Aschu List-Id: linux-audit@redhat.com On Tue, Oct 29, 2013 at 02:03:48PM +0530, Shinoj Gangadharan wrote: > Hi, > > Has the log_passwd feature been backported to RHEL6.4 ? No. It is part of RHEL6.5. My understanding is the kernel part should work with RHEL6.4, but it will break the RHEL6.4 pam_tty_audit module of pam (which needs to be updated anyways to get the new feature to work). I can't speak to the ease of upgrading pam to the RHEL6.5 version while still running essentially a RHEL6.4 system. > Regards, > Shinoj. > > >> > > > >> > > The log_passwd feature has not been backported to RHEL5 because > >> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would > >> > > have to say it is not supported in your system. > >> > > > >> > > An upgrade is necessary. > >> > > > >> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs > >> > > > > >> > > > >> > > wrote: > >> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote: > >> > > > > > This is correct. The problem is, this records every > >> > > > > > keystrokes and even the password of the users. While I > >> > > > > > only care about the user command history, I surely do not > >> > > > > > want to know their passwords. > >> > > > > > >> > > > > There is now support in the upstream kernel (3.10-rc1) and > >> > > > > in pam (1.1.8+) to not record passwords by default. If you > >> > > > > want the old behaviour, add the optional argument to > >> > > > > pam_tty_audit: "log_passwd" > >> > > > > > >> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan < > >> > > > >> > > tvaughan@onyxpoint.com > >> > > > >> > > > > >wrote: > >> > > > > > > Does pam_tty_audit with enable=* not do what you want? > >> > > > > > > > >> > > > > > > Trevor > >> > > > > > > > >> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming < > >> xiumingzhu@gmail.com> > >> > > > > > >> > > > > wrote: > >> > > > > > >> HI > >> > > > > > >> I know this seems an old topic. But unfortunately, I > >> > > > > > >> can't find a solution for this. I have googled long > >> > > > > > >> time. I tried following options: > >> > > > > > >> 1. audit execv syscall, > >> > > > > > >> > >> > > > > > >> this does record every command typed any tty. > >> > > > > > >> However, it generates lots of noise. Sometimes, the > >> > > > > > >> execv syscall is so frequently called that the system > >> > > > > > >> can't afford to log every call of it and it crashes > >> > > > > > >> !!! > >> > > > > > >> > >> > > > > > >> 2. use *pam_tty_audit.so > >> > > > > > >> * > >> > > > > > >> this makes it possible to record one or two users, not > >> > > > > > >> all users. > >> > > > > > >> So, may I ask, is this problem solvable by auditd or > >> > > > > > >> do I need other tools ?* > >> > > > > > > > >> > > > > > > Trevor Vaughan > >> > > > > > >> > > > > - RGB > >> > > > >> > > - RGB - RGB -- Richard Guy Briggs Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545