On 2/8/2022 5:12 PM, André Letterer wrote:
Yes, history is a bash internal command and that's why I opened
initally this thread because I wanted to know if there is any chance to track internal
bash commands like history as well via auditd. For now it seems pam_tty_audit doesn't
do the job.
Audit tracks security relevant events. Invoking a built-in
command such as history, export or set does not involve any
security relevant events. Invoking a built-in simply sends the
existing shell process down a specified code path. There's no
audit record because there's nothing happening to audit.
*Gesendet:* Mittwoch, 09. Februar 2022 um 02:09 Uhr
*Von:* "Casey Schaufler" <casey(a)schaufler-ca.com>
*An:* "André Letterer" <andre.letterer(a)web.de>, "Richard Guy
Briggs" <rgb(a)redhat.com>
*Cc:* Linux-audit@redhat.com
*Betreff:* Re: How to configure auditd to register like internal bash commands?
On 2/8/2022 4:24 PM, André Letterer wrote:
> Yeah, it's a very good start.
> However it seems it still doesn't do what I want.
> It seems only changing the 2 files doesn't do the job:
> nano /etc/pam.d/system-auth
> session required pam_tty_audit.so disable=* enable=logs log_passwd
> nano /etc/pam.d/password-auth
> session required pam_tty_audit.so disable=* enable=logs log_passwd
> I get much more entries in /var/log/audit/audit.log for user logs like for instance
if I su to this one.
> However unfortunately commands like "history -c" don't still trigger
an entry...
There are a significant number of commands that are shell built-ins,
including "history".
> Is there still a follow-up idea on this?
> *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr
> *Von:* "Richard Guy Briggs" <rgb(a)redhat.com>
> *An:* "André Letterer" <andre.letterer(a)web.de>
> *Cc:* Linux-audit@redhat.com
> *Betreff:* Re: How to configure auditd to register like internal bash commands?
> On 2022-02-07 23:37, André Letterer wrote:
> > Hi folks,
> >
> > I would like to have some help on configuring auditd for very short
> > running commands like
> > unset ...
> > set ...
> > export ...
> > history -c
> >
> > or similar commands.
> > How would that be possible?
> > Would you mind please to help me on some knowledge about that?
>
> You may want to look into pam_tty_audit, but it may flood your logs.
>
> - RGB
>
> --
> Richard Guy Briggs <rgb(a)redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
>
https://listman.redhat.com/mailman/listinfo/linux-audit