Re: how to use auditd to record all user command history
On Tue, Oct 29, 2013 at 02:03:48PM +0530, Shinoj Gangadharan wrote:
Hi,
Has the log_passwd feature been backported to RHEL6.4 ?
No. It is part of RHEL6.5. My understanding is the kernel part should
work with RHEL6.4, but it will break the RHEL6.4 pam_tty_audit module of
pam (which needs to be updated anyways to get the new feature to work).
I can't speak to the ease of upgrading pam to the RHEL6.5 version while
still running essentially a RHEL6.4 system.
Regards,
Shinoj.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because
>> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
>> > > have to say it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
>> > > > <rgb(a)redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming
wrote:
>> > > > > > This is correct. The problem is, this records every
>> > > > > > keystrokes and even the password of the users. While I
>> > > > > > only care about the user command history, I surely do
not
>> > > > > > want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and
>> > > > > in pam (1.1.8+) to not record passwords by default. If you
>> > > > > want the old behaviour, add the optional argument to
>> > > > > pam_tty_audit: "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan(a)onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you
want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu(a)gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But
unfortunately, I
>> > > > > > >> can't find a solution for this. I have
googled long
>> > > > > > >> time. I tried following options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >> this does record every command typed any
tty.
>> > > > > > >> However, it generates lots of noise.
Sometimes, the
>> > > > > > >> execv syscall is so frequently called that the
system
>> > > > > > >> can't afford to log every call of it and
it crashes
>> > > > > > >> !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two
users, not
>> > > > > > >> all users.
>> > > > > > >> So, may I ask, is this problem solvable by
auditd or
>> > > > > > >> do I need other tools ?*
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545