* Re: how to use auditd to record all user command history
@ 2013-10-20 1:03 Aschu
2013-10-29 8:33 ` Shinoj Gangadharan
0 siblings, 1 reply; 16+ messages in thread
From: Aschu @ 2013-10-20 1:03 UTC (permalink / raw)
To: zhu xiuming, Smith, Gary R; +Cc: Linux-audit@redhat.com
Sent from Huawei Mobile
zhu xiuming <xiumingzhu@gmail.com> wrote:
>Thanks a lot.
>
>I think it is better to use audit for me because it is also not so easy to
>get a third-party software installed on our hosts.
>Maybe I am considering how to scrutinize good audit rules of watching
>"execv".
>
>Thanks a lot
>
>
>On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith@pnnl.gov> wrote:
>
>> Hi,****
>>
>> ** **
>>
>> What’s the “best way to do it” is dependent on your system.****
>>
>> ** **
>>
>> That said, I can offer two non-audit suggestions.****
>>
>> ** **
>>
>> One I call the “Old Shell Game”. Stick this bash code in in the
>> appropriate system wide bash file:****
>>
>> ** **
>>
>> function log****
>>
>> ** **
>>
>> {****
>>
>> ** **
>>
>> typeset x****
>>
>> ** **
>>
>> x=$(history 1 | cut -f 5-)****
>>
>> ** **
>>
>> logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"****
>>
>> ** **
>>
>> }****
>>
>> ** **
>>
>> trap log DEBUG****
>>
>> ** **
>>
>> And you get things like this in your syslog:****
>>
>> ** **
>>
>> Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*****
>>
>> Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v
>> grep****
>>
>> Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc –l **
>> **
>>
>> Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort |
>> more****
>>
>> ** **
>>
>> Is this easy to defeat? Yup. But it will let you get experiment with
>> command logging and see if it’s really of any benefit to you.****
>>
>> ** **
>>
>> Another is use the program called “snoopy” available at
>> http://sourceforge.net/projects/snoopylogger/****
>>
>> ** **
>>
>> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
>> **
>>
>> ** **
>>
>> Once you’ve got it in place you get output like this:****
>>
>> ** **
>>
>> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/uname]: uname –a****
>>
>> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps –ef****
>>
>> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps -ef ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep audit ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep -v grep ****
>>
>> ** **
>>
>> It’s not as easy to circumvent as the above bash code. As a suggestion
>> based on experience, don’t put snoopy into affect until after the system is
>> up. You really don’t want to log all the commands root does in the process
>> of starting up a system.****
>>
>> ** **
>>
>> I hope this helps.****
>>
>> ** **
>>
>> Best regards,****
>>
>> ** **
>>
>> Gary Smith****
>>
>> Information System Security Officer****
>>
>> Pacific Northwest National Laboratory****
>>
>> ** **
>>
>> *From:* linux-audit-bounces@redhat.com [mailto:
>> linux-audit-bounces@redhat.com] *On Behalf Of *zhu xiuming
>> *Sent:* Wednesday, October 09, 2013 3:11 PM
>> *To:* Steve Grubb
>> *Cc:* Richard Guy Briggs; Linux-audit@redhat.com
>> *Subject:* Re: how to use auditd to record all user command history****
>>
>> ** **
>>
>> Thanks. ****
>>
>> I know the kernel do the most work. So, I can't use pam_tty_audit for our
>> hosts. ****
>>
>> However, I still hope to record user command history. I just wonder what
>> is the best way to do it.
>>
>> ****
>>
>> ** **
>>
>> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:****
>>
>> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
>> > So, if I can't update all kernels (the cost will be very high), is there
>> > any other way to resolve this issue?****
>>
>> The kernel is what does all the heavy work in the audit system. Auditd only
>> records to disk, pam_tty_audit and auditctl tell the kernel what they are
>> interested in. But all the action is in the kernel, not user space.
>>
>> -Steve****
>>
>>
>> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com>
>> wrote:
>> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
>> > > > Thanks for your reply.
>> > > > Currently, our Linux kernel versions are mostly Redhat
>> 2.6.18-xxx.el5. I
>> > > > wonder whether it supports this feature.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because the
>> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is, this records every keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
>> > > > > (1.1.8+) to not record passwords by default. If you want the old
>> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan@onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu@gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >> this does record every command typed any tty. However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it crashes
>> > > > > > >> !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs@redhat.com>
>> > > Senior Software Engineer
>> > > Kernel Security
>> > > AMER ENG Base Operating Systems
>> > > Remote, Ottawa, Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread* RE: how to use auditd to record all user command history
2013-10-20 1:03 how to use auditd to record all user command history Aschu
@ 2013-10-29 8:33 ` Shinoj Gangadharan
2013-10-29 12:54 ` Steve Grubb
2013-10-29 13:05 ` Richard Guy Briggs
0 siblings, 2 replies; 16+ messages in thread
From: Shinoj Gangadharan @ 2013-10-29 8:33 UTC (permalink / raw)
To: Aschu, zhu xiuming, Smith, Gary R; +Cc: Linux-audit@redhat.com
Hi,
Has the log_passwd feature been backported to RHEL6.4 ?
Regards,
Shinoj.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because
>> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
>> > > have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
>> > > > <rgb@redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is, this records every
>> > > > > > keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in
>> > > > > pam
>> > > > > (1.1.8+) to not record passwords by default. If you want the
>> > > > > old behaviour, add the optional argument to pam_tty_audit:
>> > > > > "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan@onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu@gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I
>> > > > > > >> can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried
>> > > > > > >> following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >> this does record every command typed any tty.
>> > > > > > >> However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise. Sometimes, the execv syscall is so
>> > > > > > >> frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it
>> > > > > > >> crashes !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not
>> > > > > > >> all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do
>> > > > > > >> I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer
>> > > Kernel Security AMER ENG Base Operating Systems Remote, Ottawa,
>> > > Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-29 8:33 ` Shinoj Gangadharan
@ 2013-10-29 12:54 ` Steve Grubb
2013-10-29 13:05 ` Richard Guy Briggs
1 sibling, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2013-10-29 12:54 UTC (permalink / raw)
To: linux-audit; +Cc: Aschu
On Tuesday, October 29, 2013 02:03:48 PM Shinoj Gangadharan wrote:
> Has the log_passwd feature been backported to RHEL6.4
We cannot backport to already released versions. it would have to be a future
release. The best way to get this in RHEL6 is to contact your support
representative and ask for this feature.
-Steve
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-29 8:33 ` Shinoj Gangadharan
2013-10-29 12:54 ` Steve Grubb
@ 2013-10-29 13:05 ` Richard Guy Briggs
1 sibling, 0 replies; 16+ messages in thread
From: Richard Guy Briggs @ 2013-10-29 13:05 UTC (permalink / raw)
To: Shinoj Gangadharan; +Cc: Linux-audit@redhat.com, Aschu
On Tue, Oct 29, 2013 at 02:03:48PM +0530, Shinoj Gangadharan wrote:
> Hi,
>
> Has the log_passwd feature been backported to RHEL6.4 ?
No. It is part of RHEL6.5. My understanding is the kernel part should
work with RHEL6.4, but it will break the RHEL6.4 pam_tty_audit module of
pam (which needs to be updated anyways to get the new feature to work).
I can't speak to the ease of upgrading pam to the RHEL6.5 version while
still running essentially a RHEL6.4 system.
> Regards,
> Shinoj.
>
> >> > >
> >> > > The log_passwd feature has not been backported to RHEL5 because
> >> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
> >> > > have to say it is not supported in your system.
> >> > >
> >> > > An upgrade is necessary.
> >> > >
> >> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
> >> > > > <rgb@redhat.com>
> >> > >
> >> > > wrote:
> >> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> >> > > > > > This is correct. The problem is, this records every
> >> > > > > > keystrokes and even the password of the users. While I
> >> > > > > > only care about the user command history, I surely do not
> >> > > > > > want to know their passwords.
> >> > > > >
> >> > > > > There is now support in the upstream kernel (3.10-rc1) and
> >> > > > > in pam (1.1.8+) to not record passwords by default. If you
> >> > > > > want the old behaviour, add the optional argument to
> >> > > > > pam_tty_audit: "log_passwd"
> >> > > > >
> >> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >> > >
> >> > > tvaughan@onyxpoint.com
> >> > >
> >> > > > > >wrote:
> >> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> >> > > > > > >
> >> > > > > > > Trevor
> >> > > > > > >
> >> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> >> xiumingzhu@gmail.com>
> >> > > > >
> >> > > > > wrote:
> >> > > > > > >> HI
> >> > > > > > >> I know this seems an old topic. But unfortunately, I
> >> > > > > > >> can't find a solution for this. I have googled long
> >> > > > > > >> time. I tried following options:
> >> > > > > > >> 1. audit execv syscall,
> >> > > > > > >>
> >> > > > > > >> this does record every command typed any tty.
> >> > > > > > >> However, it generates lots of noise. Sometimes, the
> >> > > > > > >> execv syscall is so frequently called that the system
> >> > > > > > >> can't afford to log every call of it and it crashes
> >> > > > > > >> !!!
> >> > > > > > >>
> >> > > > > > >> 2. use *pam_tty_audit.so
> >> > > > > > >> *
> >> > > > > > >> this makes it possible to record one or two users, not
> >> > > > > > >> all users.
> >> > > > > > >> So, may I ask, is this problem solvable by auditd or
> >> > > > > > >> do I need other tools ?*
> >> > > > > > >
> >> > > > > > > Trevor Vaughan
> >> > > > >
> >> > > > > - RGB
> >> > >
> >> > > - RGB
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 16+ messages in thread
* how to use auditd to record all user command history
@ 2013-10-06 21:26 zhu xiuming
2013-10-06 21:40 ` Trevor Vaughan
0 siblings, 1 reply; 16+ messages in thread
From: zhu xiuming @ 2013-10-06 21:26 UTC (permalink / raw)
To: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 579 bytes --]
HI
I know this seems an old topic. But unfortunately, I can't find a solution
for this. I have googled long time. I tried following options:
1. audit execv syscall,
this does record every command typed any tty. However, it generates
lots of noise. Sometimes, the execv syscall is so frequently called that
the system can't afford to log every call of it and it crashes !!!
2. use *pam_tty_audit.so
*
this makes it possible to record one or two users, not all users. *
*
So, may I ask, is this problem solvable by auditd or do I need other tools ?
*
*
*Thanks a lot
*
*
*
[-- Attachment #1.2: Type: text/html, Size: 786 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: how to use auditd to record all user command history
2013-10-06 21:26 zhu xiuming
@ 2013-10-06 21:40 ` Trevor Vaughan
2013-10-07 17:30 ` zhu xiuming
0 siblings, 1 reply; 16+ messages in thread
From: Trevor Vaughan @ 2013-10-06 21:40 UTC (permalink / raw)
To: zhu xiuming; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1037 bytes --]
Does pam_tty_audit with enable=* not do what you want?
Trevor
On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> HI
> I know this seems an old topic. But unfortunately, I can't find a solution
> for this. I have googled long time. I tried following options:
>
> 1. audit execv syscall,
> this does record every command typed any tty. However, it generates
> lots of noise. Sometimes, the execv syscall is so frequently called that
> the system can't afford to log every call of it and it crashes !!!
>
> 2. use *pam_tty_audit.so
> *
> this makes it possible to record one or two users, not all users. *
> *
> So, may I ask, is this problem solvable by auditd or do I need other tools
> ?*
>
> *
> *Thanks a lot
> *
> *
> *
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com
-- This account not approved for unencrypted proprietary information --
[-- Attachment #1.2: Type: text/html, Size: 1765 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-06 21:40 ` Trevor Vaughan
@ 2013-10-07 17:30 ` zhu xiuming
2013-10-08 3:13 ` Richard Guy Briggs
2013-10-29 14:56 ` shawn wilson
0 siblings, 2 replies; 16+ messages in thread
From: zhu xiuming @ 2013-10-07 17:30 UTC (permalink / raw)
To: Trevor Vaughan; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1370 bytes --]
This is correct. The problem is, this records every keystrokes and even
the password of the users. While I only care about the user command
history, I surely do not want to know their passwords.
On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote:
> Does pam_tty_audit with enable=* not do what you want?
>
> Trevor
>
>
> On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
>
>> HI
>> I know this seems an old topic. But unfortunately, I can't find a
>> solution for this. I have googled long time. I tried following options:
>>
>> 1. audit execv syscall,
>> this does record every command typed any tty. However, it generates
>> lots of noise. Sometimes, the execv syscall is so frequently called that
>> the system can't afford to log every call of it and it crashes !!!
>>
>> 2. use *pam_tty_audit.so
>> *
>> this makes it possible to record one or two users, not all users. *
>> *
>> So, may I ask, is this problem solvable by auditd or do I need other
>> tools ?*
>>
>> *
>> *Thanks a lot
>> *
>> *
>> *
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaughan@onyxpoint.com
>
> -- This account not approved for unencrypted proprietary information --
>
[-- Attachment #1.2: Type: text/html, Size: 2659 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-07 17:30 ` zhu xiuming
@ 2013-10-08 3:13 ` Richard Guy Briggs
2013-10-08 21:05 ` zhu xiuming
2013-10-29 14:56 ` shawn wilson
1 sibling, 1 reply; 16+ messages in thread
From: Richard Guy Briggs @ 2013-10-08 3:13 UTC (permalink / raw)
To: zhu xiuming; +Cc: Linux-audit@redhat.com
On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> This is correct. The problem is, this records every keystrokes and even
> the password of the users. While I only care about the user command
> history, I surely do not want to know their passwords.
There is now support in the upstream kernel (3.10-rc1) and in pam
(1.1.8+) to not record passwords by default. If you want the old
behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com>wrote:
> > Does pam_tty_audit with enable=* not do what you want?
> >
> > Trevor
> >
> > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> >
> >> HI
> >> I know this seems an old topic. But unfortunately, I can't find a
> >> solution for this. I have googled long time. I tried following options:
> >>
> >> 1. audit execv syscall,
> >> this does record every command typed any tty. However, it generates
> >> lots of noise. Sometimes, the execv syscall is so frequently called that
> >> the system can't afford to log every call of it and it crashes !!!
> >>
> >> 2. use *pam_tty_audit.so
> >> *
> >> this makes it possible to record one or two users, not all users. *
> >> *
> >> So, may I ask, is this problem solvable by auditd or do I need other
> >> tools ?*
> >>
> >> *
> >> *Thanks a lot
> >
> > Trevor Vaughan
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-08 3:13 ` Richard Guy Briggs
@ 2013-10-08 21:05 ` zhu xiuming
2013-10-08 21:33 ` Richard Guy Briggs
0 siblings, 1 reply; 16+ messages in thread
From: zhu xiuming @ 2013-10-08 21:05 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1924 bytes --]
Thanks for your reply.
Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
wonder whether it supports this feature.
On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > This is correct. The problem is, this records every keystrokes and even
> > the password of the users. While I only care about the user command
> > history, I surely do not want to know their passwords.
>
> There is now support in the upstream kernel (3.10-rc1) and in pam
> (1.1.8+) to not record passwords by default. If you want the old
> behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>
> > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com
> >wrote:
> > > Does pam_tty_audit with enable=* not do what you want?
> > >
> > > Trevor
> > >
> > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> wrote:
> > >
> > >> HI
> > >> I know this seems an old topic. But unfortunately, I can't find a
> > >> solution for this. I have googled long time. I tried following
> options:
> > >>
> > >> 1. audit execv syscall,
> > >> this does record every command typed any tty. However, it
> generates
> > >> lots of noise. Sometimes, the execv syscall is so frequently called
> that
> > >> the system can't afford to log every call of it and it crashes !!!
> > >>
> > >> 2. use *pam_tty_audit.so
> > >> *
> > >> this makes it possible to record one or two users, not all users. *
> > >> *
> > >> So, may I ask, is this problem solvable by auditd or do I need other
> > >> tools ?*
> > >>
> > >> *
> > >> *Thanks a lot
> > >
> > > Trevor Vaughan
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545
>
[-- Attachment #1.2: Type: text/html, Size: 2943 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-08 21:05 ` zhu xiuming
@ 2013-10-08 21:33 ` Richard Guy Briggs
2013-10-09 21:51 ` zhu xiuming
0 siblings, 1 reply; 16+ messages in thread
From: Richard Guy Briggs @ 2013-10-08 21:33 UTC (permalink / raw)
To: zhu xiuming; +Cc: Linux-audit@redhat.com
On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> Thanks for your reply.
> Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> wonder whether it supports this feature.
The log_passwd feature has not been backported to RHEL5 because the
pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
it is not supported in your system.
An upgrade is necessary.
> On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > This is correct. The problem is, this records every keystrokes and even
> > > the password of the users. While I only care about the user command
> > > history, I surely do not want to know their passwords.
> >
> > There is now support in the upstream kernel (3.10-rc1) and in pam
> > (1.1.8+) to not record passwords by default. If you want the old
> > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> >
> > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com
> > >wrote:
> > > > Does pam_tty_audit with enable=* not do what you want?
> > > >
> > > > Trevor
> > > >
> > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > wrote:
> > > >
> > > >> HI
> > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > >> solution for this. I have googled long time. I tried following
> > options:
> > > >>
> > > >> 1. audit execv syscall,
> > > >> this does record every command typed any tty. However, it
> > generates
> > > >> lots of noise. Sometimes, the execv syscall is so frequently called
> > that
> > > >> the system can't afford to log every call of it and it crashes !!!
> > > >>
> > > >> 2. use *pam_tty_audit.so
> > > >> *
> > > >> this makes it possible to record one or two users, not all users. *
> > > >> *
> > > >> So, may I ask, is this problem solvable by auditd or do I need other
> > > >> tools ?*
> > > >>
> > > >> *
> > > >> *Thanks a lot
> > > >
> > > > Trevor Vaughan
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-08 21:33 ` Richard Guy Briggs
@ 2013-10-09 21:51 ` zhu xiuming
2013-10-09 21:57 ` Steve Grubb
0 siblings, 1 reply; 16+ messages in thread
From: zhu xiuming @ 2013-10-09 21:51 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 2613 bytes --]
So, if I can't update all kernels (the cost will be very high), is there
any other way to resolve this issue?
thanks a lot
On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > Thanks for your reply.
> > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > wonder whether it supports this feature.
>
> The log_passwd feature has not been backported to RHEL5 because the
> pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> it is not supported in your system.
>
> An upgrade is necessary.
>
> > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > This is correct. The problem is, this records every keystrokes and
> even
> > > > the password of the users. While I only care about the user command
> > > > history, I surely do not want to know their passwords.
> > >
> > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > (1.1.8+) to not record passwords by default. If you want the old
> > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > >
> > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> tvaughan@onyxpoint.com
> > > >wrote:
> > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > >
> > > > > Trevor
> > > > >
> > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > > wrote:
> > > > >
> > > > >> HI
> > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > >> solution for this. I have googled long time. I tried following
> > > options:
> > > > >>
> > > > >> 1. audit execv syscall,
> > > > >> this does record every command typed any tty. However, it
> > > generates
> > > > >> lots of noise. Sometimes, the execv syscall is so frequently
> called
> > > that
> > > > >> the system can't afford to log every call of it and it crashes !!!
> > > > >>
> > > > >> 2. use *pam_tty_audit.so
> > > > >> *
> > > > >> this makes it possible to record one or two users, not all users.
> *
> > > > >> *
> > > > >> So, may I ask, is this problem solvable by auditd or do I need
> other
> > > > >> tools ?*
> > > > >>
> > > > >> *
> > > > >> *Thanks a lot
> > > > >
> > > > > Trevor Vaughan
> > >
> > > - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545
>
[-- Attachment #1.2: Type: text/html, Size: 4001 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-09 21:51 ` zhu xiuming
@ 2013-10-09 21:57 ` Steve Grubb
2013-10-09 22:11 ` zhu xiuming
0 siblings, 1 reply; 16+ messages in thread
From: Steve Grubb @ 2013-10-09 21:57 UTC (permalink / raw)
To: linux-audit; +Cc: Richard Guy Briggs
On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> So, if I can't update all kernels (the cost will be very high), is there
> any other way to resolve this issue?
The kernel is what does all the heavy work in the audit system. Auditd only
records to disk, pam_tty_audit and auditctl tell the kernel what they are
interested in. But all the action is in the kernel, not user space.
-Steve
> On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > Thanks for your reply.
> > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > > wonder whether it supports this feature.
> >
> > The log_passwd feature has not been backported to RHEL5 because the
> > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> > it is not supported in your system.
> >
> > An upgrade is necessary.
> >
> > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> >
> > wrote:
> > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > This is correct. The problem is, this records every keystrokes and
> >
> > even
> >
> > > > > the password of the users. While I only care about the user command
> > > > > history, I surely do not want to know their passwords.
> > > >
> > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > (1.1.8+) to not record passwords by default. If you want the old
> > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > >
> > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >
> > tvaughan@onyxpoint.com
> >
> > > > >wrote:
> > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > >
> > > > > > Trevor
> > > > > >
> > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com>
> > > >
> > > > wrote:
> > > > > >> HI
> > > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > > >> solution for this. I have googled long time. I tried following
> > > >
> > > > options:
> > > > > >> 1. audit execv syscall,
> > > > > >>
> > > > > >> this does record every command typed any tty. However, it
> > > >
> > > > generates
> > > >
> > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
> >
> > called
> >
> > > > that
> > > >
> > > > > >> the system can't afford to log every call of it and it crashes
> > > > > >> !!!
> > > > > >>
> > > > > >> 2. use *pam_tty_audit.so
> > > > > >> *
> > > > > >> this makes it possible to record one or two users, not all users.
> >
> > *
> >
> > > > > >> *
> > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> >
> > other
> >
> > > > > >> tools ?*
> > > > > >>
> > > > > >> *
> > > > > >> *Thanks a lot
> > > > > >
> > > > > > Trevor Vaughan
> > > >
> > > > - RGB
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rbriggs@redhat.com>
> > Senior Software Engineer
> > Kernel Security
> > AMER ENG Base Operating Systems
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635
> > Internal: (81) 32635
> > Alt: +1.613.693.0684x3545
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-09 21:57 ` Steve Grubb
@ 2013-10-09 22:11 ` zhu xiuming
2013-10-09 23:23 ` Smith, Gary R
0 siblings, 1 reply; 16+ messages in thread
From: zhu xiuming @ 2013-10-09 22:11 UTC (permalink / raw)
To: Steve Grubb; +Cc: Richard Guy Briggs, Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 3604 bytes --]
Thanks.
I know the kernel do the most work. So, I can't use pam_tty_audit for our
hosts.
However, I still hope to record user command history. I just wonder what is
the best way to do it.
On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> > So, if I can't update all kernels (the cost will be very high), is there
> > any other way to resolve this issue?
>
> The kernel is what does all the heavy work in the audit system. Auditd only
> records to disk, pam_tty_audit and auditctl tell the kernel what they are
> interested in. But all the action is in the kernel, not user space.
>
> -Steve
>
> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > > Thanks for your reply.
> > > > Currently, our Linux kernel versions are mostly Redhat
> 2.6.18-xxx.el5. I
> > > > wonder whether it supports this feature.
> > >
> > > The log_passwd feature has not been backported to RHEL5 because the
> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
> say
> > > it is not supported in your system.
> > >
> > > An upgrade is necessary.
> > >
> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> > >
> > > wrote:
> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > > This is correct. The problem is, this records every keystrokes
> and
> > >
> > > even
> > >
> > > > > > the password of the users. While I only care about the user
> command
> > > > > > history, I surely do not want to know their passwords.
> > > > >
> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > > (1.1.8+) to not record passwords by default. If you want the old
> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > >
> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > >
> > > tvaughan@onyxpoint.com
> > >
> > > > > >wrote:
> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > >
> > > > > > > Trevor
> > > > > > >
> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> xiumingzhu@gmail.com>
> > > > >
> > > > > wrote:
> > > > > > >> HI
> > > > > > >> I know this seems an old topic. But unfortunately, I can't
> find a
> > > > > > >> solution for this. I have googled long time. I tried following
> > > > >
> > > > > options:
> > > > > > >> 1. audit execv syscall,
> > > > > > >>
> > > > > > >> this does record every command typed any tty. However, it
> > > > >
> > > > > generates
> > > > >
> > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
> > >
> > > called
> > >
> > > > > that
> > > > >
> > > > > > >> the system can't afford to log every call of it and it crashes
> > > > > > >> !!!
> > > > > > >>
> > > > > > >> 2. use *pam_tty_audit.so
> > > > > > >> *
> > > > > > >> this makes it possible to record one or two users, not all
> users.
> > >
> > > *
> > >
> > > > > > >> *
> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > >
> > > other
> > >
> > > > > > >> tools ?*
> > > > > > >>
> > > > > > >> *
> > > > > > >> *Thanks a lot
> > > > > > >
> > > > > > > Trevor Vaughan
> > > > >
> > > > > - RGB
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rbriggs@redhat.com>
> > > Senior Software Engineer
> > > Kernel Security
> > > AMER ENG Base Operating Systems
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635
> > > Internal: (81) 32635
> > > Alt: +1.613.693.0684x3545
>
>
[-- Attachment #1.2: Type: text/html, Size: 5830 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: how to use auditd to record all user command history
2013-10-09 22:11 ` zhu xiuming
@ 2013-10-09 23:23 ` Smith, Gary R
2013-10-09 23:56 ` zhu xiuming
0 siblings, 1 reply; 16+ messages in thread
From: Smith, Gary R @ 2013-10-09 23:23 UTC (permalink / raw)
To: zhu xiuming; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 5974 bytes --]
Hi,
What's the "best way to do it" is dependent on your system.
That said, I can offer two non-audit suggestions.
One I call the "Old Shell Game". Stick this bash code in in the appropriate system wide bash file:
function log
{
typeset x
x=$(history 1 | cut -f 5-)
logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"
}
trap log DEBUG
And you get things like this in your syslog:
Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*
Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v grep
Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc -l
Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort | more
Is this easy to defeat? Yup. But it will let you get experiment with command logging and see if it's really of any benefit to you.
Another is use the program called "snoopy" available at http://sourceforge.net/projects/snoopylogger/
It uses a little known feature of the Linux loader, namely, LD_PRELOAD.
Once you've got it in place you get output like this:
Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/uname]: uname -a
Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep audit
Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]: grep -v grep
It's not as easy to circumvent as the above bash code. As a suggestion based on experience, don't put snoopy into affect until after the system is up. You really don't want to log all the commands root does in the process of starting up a system.
I hope this helps.
Best regards,
Gary Smith
Information System Security Officer
Pacific Northwest National Laboratory
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of zhu xiuming
Sent: Wednesday, October 09, 2013 3:11 PM
To: Steve Grubb
Cc: Richard Guy Briggs; Linux-audit@redhat.com
Subject: Re: how to use auditd to record all user command history
Thanks.
I know the kernel do the most work. So, I can't use pam_tty_audit for our hosts.
However, I still hope to record user command history. I just wonder what is the best way to do it.
On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> So, if I can't update all kernels (the cost will be very high), is there
> any other way to resolve this issue?
The kernel is what does all the heavy work in the audit system. Auditd only
records to disk, pam_tty_audit and auditctl tell the kernel what they are
interested in. But all the action is in the kernel, not user space.
-Steve
> On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com<mailto:rgb@redhat.com>> wrote:
> > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > Thanks for your reply.
> > > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > > wonder whether it supports this feature.
> >
> > The log_passwd feature has not been backported to RHEL5 because the
> > pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> > it is not supported in your system.
> >
> > An upgrade is necessary.
> >
> > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com<mailto:rgb@redhat.com>>
> >
> > wrote:
> > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > This is correct. The problem is, this records every keystrokes and
> >
> > even
> >
> > > > > the password of the users. While I only care about the user command
> > > > > history, I surely do not want to know their passwords.
> > > >
> > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > (1.1.8+) to not record passwords by default. If you want the old
> > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > >
> > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> >
> > tvaughan@onyxpoint.com<mailto:tvaughan@onyxpoint.com>
> >
> > > > >wrote:
> > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > >
> > > > > > Trevor
> > > > > >
> > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com<mailto:xiumingzhu@gmail.com>>
> > > >
> > > > wrote:
> > > > > >> HI
> > > > > >> I know this seems an old topic. But unfortunately, I can't find a
> > > > > >> solution for this. I have googled long time. I tried following
> > > >
> > > > options:
> > > > > >> 1. audit execv syscall,
> > > > > >>
> > > > > >> this does record every command typed any tty. However, it
> > > >
> > > > generates
> > > >
> > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
> >
> > called
> >
> > > > that
> > > >
> > > > > >> the system can't afford to log every call of it and it crashes
> > > > > >> !!!
> > > > > >>
> > > > > >> 2. use *pam_tty_audit.so
> > > > > >> *
> > > > > >> this makes it possible to record one or two users, not all users.
> >
> > *
> >
> > > > > >> *
> > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> >
> > other
> >
> > > > > >> tools ?*
> > > > > >>
> > > > > >> *
> > > > > >> *Thanks a lot
> > > > > >
> > > > > > Trevor Vaughan
> > > >
> > > > - RGB
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rbriggs@redhat.com<mailto:rbriggs@redhat.com>>
> > Senior Software Engineer
> > Kernel Security
> > AMER ENG Base Operating Systems
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635<tel:%2B1.647.777.2635>
> > Internal: (81) 32635
> > Alt: +1.613.693.0684x3545<tel:%2B1.613.693.0684x3545>
[-- Attachment #1.2: Type: text/html, Size: 17189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: how to use auditd to record all user command history
2013-10-09 23:23 ` Smith, Gary R
@ 2013-10-09 23:56 ` zhu xiuming
0 siblings, 0 replies; 16+ messages in thread
From: zhu xiuming @ 2013-10-09 23:56 UTC (permalink / raw)
To: Smith, Gary R; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 6993 bytes --]
Thanks a lot.
I think it is better to use audit for me because it is also not so easy to
get a third-party software installed on our hosts.
Maybe I am considering how to scrutinize good audit rules of watching
"execv".
Thanks a lot
On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith@pnnl.gov> wrote:
> Hi,****
>
> ** **
>
> What’s the “best way to do it” is dependent on your system.****
>
> ** **
>
> That said, I can offer two non-audit suggestions.****
>
> ** **
>
> One I call the “Old Shell Game”. Stick this bash code in in the
> appropriate system wide bash file:****
>
> ** **
>
> function log****
>
> ** **
>
> {****
>
> ** **
>
> typeset x****
>
> ** **
>
> x=$(history 1 | cut -f 5-)****
>
> ** **
>
> logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"****
>
> ** **
>
> }****
>
> ** **
>
> trap log DEBUG****
>
> ** **
>
> And you get things like this in your syslog:****
>
> ** **
>
> Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*****
>
> Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v
> grep****
>
> Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc –l **
> **
>
> Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort |
> more****
>
> ** **
>
> Is this easy to defeat? Yup. But it will let you get experiment with
> command logging and see if it’s really of any benefit to you.****
>
> ** **
>
> Another is use the program called “snoopy” available at
> http://sourceforge.net/projects/snoopylogger/****
>
> ** **
>
> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
> **
>
> ** **
>
> Once you’ve got it in place you get output like this:****
>
> ** **
>
> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/uname]: uname –a****
>
> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/ps]: ps –ef****
>
> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
> cwd:/root filename:/bin/ps]: ps -ef ****
>
> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
> filename:/bin/grep]: grep audit ****
>
> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
> filename:/bin/grep]: grep -v grep ****
>
> ** **
>
> It’s not as easy to circumvent as the above bash code. As a suggestion
> based on experience, don’t put snoopy into affect until after the system is
> up. You really don’t want to log all the commands root does in the process
> of starting up a system.****
>
> ** **
>
> I hope this helps.****
>
> ** **
>
> Best regards,****
>
> ** **
>
> Gary Smith****
>
> Information System Security Officer****
>
> Pacific Northwest National Laboratory****
>
> ** **
>
> *From:* linux-audit-bounces@redhat.com [mailto:
> linux-audit-bounces@redhat.com] *On Behalf Of *zhu xiuming
> *Sent:* Wednesday, October 09, 2013 3:11 PM
> *To:* Steve Grubb
> *Cc:* Richard Guy Briggs; Linux-audit@redhat.com
> *Subject:* Re: how to use auditd to record all user command history****
>
> ** **
>
> Thanks. ****
>
> I know the kernel do the most work. So, I can't use pam_tty_audit for our
> hosts. ****
>
> However, I still hope to record user command history. I just wonder what
> is the best way to do it.
>
> ****
>
> ** **
>
> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb@redhat.com> wrote:****
>
> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
> > So, if I can't update all kernels (the cost will be very high), is there
> > any other way to resolve this issue?****
>
> The kernel is what does all the heavy work in the audit system. Auditd only
> records to disk, pam_tty_audit and auditctl tell the kernel what they are
> interested in. But all the action is in the kernel, not user space.
>
> -Steve****
>
>
> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > > > Thanks for your reply.
> > > > Currently, our Linux kernel versions are mostly Redhat
> 2.6.18-xxx.el5. I
> > > > wonder whether it supports this feature.
> > >
> > > The log_passwd feature has not been backported to RHEL5 because the
> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
> say
> > > it is not supported in your system.
> > >
> > > An upgrade is necessary.
> > >
> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb@redhat.com>
> > >
> > > wrote:
> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > > > This is correct. The problem is, this records every keystrokes
> and
> > >
> > > even
> > >
> > > > > > the password of the users. While I only care about the user
> command
> > > > > > history, I surely do not want to know their passwords.
> > > > >
> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > > > (1.1.8+) to not record passwords by default. If you want the old
> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
> > > > >
> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
> > >
> > > tvaughan@onyxpoint.com
> > >
> > > > > >wrote:
> > > > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > > > >
> > > > > > > Trevor
> > > > > > >
> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
> xiumingzhu@gmail.com>
> > > > >
> > > > > wrote:
> > > > > > >> HI
> > > > > > >> I know this seems an old topic. But unfortunately, I can't
> find a
> > > > > > >> solution for this. I have googled long time. I tried following
> > > > >
> > > > > options:
> > > > > > >> 1. audit execv syscall,
> > > > > > >>
> > > > > > >> this does record every command typed any tty. However, it
> > > > >
> > > > > generates
> > > > >
> > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
> > >
> > > called
> > >
> > > > > that
> > > > >
> > > > > > >> the system can't afford to log every call of it and it crashes
> > > > > > >> !!!
> > > > > > >>
> > > > > > >> 2. use *pam_tty_audit.so
> > > > > > >> *
> > > > > > >> this makes it possible to record one or two users, not all
> users.
> > >
> > > *
> > >
> > > > > > >> *
> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
> > >
> > > other
> > >
> > > > > > >> tools ?*
> > > > > > >>
> > > > > > >> *
> > > > > > >> *Thanks a lot
> > > > > > >
> > > > > > > Trevor Vaughan
> > > > >
> > > > > - RGB
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rbriggs@redhat.com>
> > > Senior Software Engineer
> > > Kernel Security
> > > AMER ENG Base Operating Systems
> > > Remote, Ottawa, Canada
> > > Voice: +1.647.777.2635
> > > Internal: (81) 32635
> > > Alt: +1.613.693.0684x3545****
>
> ** **
>
[-- Attachment #1.2: Type: text/html, Size: 17596 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: how to use auditd to record all user command history
2013-10-07 17:30 ` zhu xiuming
2013-10-08 3:13 ` Richard Guy Briggs
@ 2013-10-29 14:56 ` shawn wilson
1 sibling, 0 replies; 16+ messages in thread
From: shawn wilson @ 2013-10-29 14:56 UTC (permalink / raw)
To: zhu xiuming; +Cc: Linux-audit@redhat.com
On Mon, Oct 7, 2013 at 1:30 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> This is correct. The problem is, this records every keystrokes and even the
> password of the users. While I only care about the user command history, I
> surely do not want to know their passwords.
>
There is another problem - users without a tty will be able to type
commands that aren't loged (hence not a full solution). A test case
for this is:
ssh host ls
>
>
>
> On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan@onyxpoint.com>
> wrote:
>>
>> Does pam_tty_audit with enable=* not do what you want?
>>
>> Trevor
>>
>>
>> On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
>>>
>>> HI
>>> I know this seems an old topic. But unfortunately, I can't find a
>>> solution for this. I have googled long time. I tried following options:
>>>
>>> 1. audit execv syscall,
>>> this does record every command typed any tty. However, it generates
>>> lots of noise. Sometimes, the execv syscall is so frequently called that
>>> the system can't afford to log every call of it and it crashes !!!
>>>
>>> 2. use pam_tty_audit.so
>>> this makes it possible to record one or two users, not all users.
>>>
>>> So, may I ask, is this problem solvable by auditd or do I need other
>>> tools ?
>>>
>>> Thanks a lot
>>>
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>> --
>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699
>> tvaughan@onyxpoint.com
>>
>> -- This account not approved for unencrypted proprietary information --
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2013-10-29 14:56 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-20 1:03 how to use auditd to record all user command history Aschu
2013-10-29 8:33 ` Shinoj Gangadharan
2013-10-29 12:54 ` Steve Grubb
2013-10-29 13:05 ` Richard Guy Briggs
-- strict thread matches above, loose matches on Subject: below --
2013-10-06 21:26 zhu xiuming
2013-10-06 21:40 ` Trevor Vaughan
2013-10-07 17:30 ` zhu xiuming
2013-10-08 3:13 ` Richard Guy Briggs
2013-10-08 21:05 ` zhu xiuming
2013-10-08 21:33 ` Richard Guy Briggs
2013-10-09 21:51 ` zhu xiuming
2013-10-09 21:57 ` Steve Grubb
2013-10-09 22:11 ` zhu xiuming
2013-10-09 23:23 ` Smith, Gary R
2013-10-09 23:56 ` zhu xiuming
2013-10-29 14:56 ` shawn wilson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox