Hi,
What's the "best way to do it" is dependent on your system.
That said, I can offer two non-audit suggestions.
One I call the "Old Shell Game". Stick this bash code in in the appropriate
system wide bash file:
function log
{
typeset x
x=$(history 1 | cut -f 5-)
logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"
}
trap log DEBUG
And you get things like this in your syslog:
Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*
Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v grep
Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc -l
Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort | more
Is this easy to defeat? Yup. But it will let you get experiment with command logging and
see if it's really of any benefit to you.
Another is use the program called "snoopy" available at
http://sourceforge.net/projects/snoopylogger/
It uses a little known feature of the Linux loader, namely, LD_PRELOAD.
Once you've got it in place you get output like this:
Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root
filename:/bin/uname]: uname -a
Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root
filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1 cwd:/root
filename:/bin/ps]: ps -ef
Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]:
grep audit
Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root filename:/bin/grep]:
grep -v grep
It's not as easy to circumvent as the above bash code. As a suggestion based on
experience, don't put snoopy into affect until after the system is up. You really
don't want to log all the commands root does in the process of starting up a system.
I hope this helps.
Best regards,
Gary Smith
Information System Security Officer
Pacific Northwest National Laboratory
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of
zhu xiuming
Sent: Wednesday, October 09, 2013 3:11 PM
To: Steve Grubb
Cc: Richard Guy Briggs; Linux-audit(a)redhat.com
Subject: Re: how to use auditd to record all user command history
Thanks.
I know the kernel do the most work. So, I can't use pam_tty_audit for our hosts.
However, I still hope to record user command history. I just wonder what is the best way
to do it.
On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb
<sgrubb@redhat.com<mailto:sgrubb@redhat.com>> wrote:
On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
So, if I can't update all kernels (the cost will be very high),
is there
any other way to resolve this issue?
The kernel is what does all the heavy work in
the audit system. Auditd only
records to disk, pam_tty_audit and auditctl tell the kernel what they are
interested in. But all the action is in the kernel, not user space.
-Steve
On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs
<rgb@redhat.com<mailto:rgb@redhat.com>> wrote:
> On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > Thanks for your reply.
> > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > wonder whether it supports this feature.
>
> The log_passwd feature has not been backported to RHEL5 because the
> pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> it is not supported in your system.
>
> An upgrade is necessary.
>
> > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
<rgb@redhat.com<mailto:rgb@redhat.com>>
>
> wrote:
> > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > This is correct. The problem is, this records every keystrokes and
>
> even
>
> > > > the password of the users. While I only care about the user command
> > > > history, I surely do not want to know their passwords.
> > >
> > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > (1.1.8+) to not record passwords by default. If you want the old
> > > behaviour, add the optional argument to pam_tty_audit:
"log_passwd"
> > >
> > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>
> tvaughan@onyxpoint.com<mailto:tvaughan@onyxpoint.com>
>
> > > >wrote:
> > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > >
> > > > > Trevor
> > > > >
> > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming
<xiumingzhu@gmail.com<mailto:xiumingzhu@gmail.com>>
> > >
> > > wrote:
> > > > >> HI
> > > > >> I know this seems an old topic. But unfortunately, I
can't find a
> > > > >> solution for this. I have googled long time. I tried
following
> > >
> > > options:
> > > > >> 1. audit execv syscall,
> > > > >>
> > > > >> this does record every command typed any tty. However,
it
> > >
> > > generates
> > >
> > > > >> lots of noise. Sometimes, the execv syscall is so
frequently
>
> called
>
> > > that
> > >
> > > > >> the system can't afford to log every call of it and it
crashes
> > > > >> !!!
> > > > >>
> > > > >> 2. use *pam_tty_audit.so
> > > > >> *
> > > > >> this makes it possible to record one or two users, not all
users.
>
> *
>
> > > > >> *
> > > > >> So, may I ask, is this problem solvable by auditd or do I
need
>
> other
>
> > > > >> tools ?*
> > > > >>
> > > > >> *
> > > > >> *Thanks a lot
> > > > >
> > > > > Trevor Vaughan
> > >
> > > - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com<mailto:rbriggs@redhat.com>>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635<tel:%2B1.647.777.2635>
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545<tel:%2B1.613.693.0684x3545>