On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
So, if I can't update all kernels (the cost will be very high),
is there
any other way to resolve this issue?
The kernel is what does all the heavy work in the audit system. Auditd only
records to disk, pam_tty_audit and auditctl tell the kernel what they are
interested in. But all the action is in the kernel, not user space.
-Steve
On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
> > Thanks for your reply.
> > Currently, our Linux kernel versions are mostly Redhat 2.6.18-xxx.el5. I
> > wonder whether it supports this feature.
>
> The log_passwd feature has not been backported to RHEL5 because the
> pam_tty_audit feature wasn't backported to RHEL5, so I would have to say
> it is not supported in your system.
>
> An upgrade is necessary.
>
> > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb(a)redhat.com>
>
> wrote:
> > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
> > > > This is correct. The problem is, this records every keystrokes and
>
> even
>
> > > > the password of the users. While I only care about the user command
> > > > history, I surely do not want to know their passwords.
> > >
> > > There is now support in the upstream kernel (3.10-rc1) and in pam
> > > (1.1.8+) to not record passwords by default. If you want the old
> > > behaviour, add the optional argument to pam_tty_audit:
"log_passwd"
> > >
> > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>
> tvaughan(a)onyxpoint.com
>
> > > >wrote:
> > > > > Does pam_tty_audit with enable=* not do what you want?
> > > > >
> > > > > Trevor
> > > > >
> > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming
<xiumingzhu(a)gmail.com>
> > >
> > > wrote:
> > > > >> HI
> > > > >> I know this seems an old topic. But unfortunately, I
can't find a
> > > > >> solution for this. I have googled long time. I tried
following
> > >
> > > options:
> > > > >> 1. audit execv syscall,
> > > > >>
> > > > >> this does record every command typed any tty. However,
it
> > >
> > > generates
> > >
> > > > >> lots of noise. Sometimes, the execv syscall is so
frequently
>
> called
>
> > > that
> > >
> > > > >> the system can't afford to log every call of it and it
crashes
> > > > >> !!!
> > > > >>
> > > > >> 2. use *pam_tty_audit.so
> > > > >> *
> > > > >> this makes it possible to record one or two users, not all
users.
>
> *
>
> > > > >> *
> > > > >> So, may I ask, is this problem solvable by auditd or do I
need
>
> other
>
> > > > >> tools ?*
> > > > >>
> > > > >> *
> > > > >> *Thanks a lot
> > > > >
> > > > > Trevor Vaughan
> > >
> > > - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs(a)redhat.com>
> Senior Software Engineer
> Kernel Security
> AMER ENG Base Operating Systems
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635
> Internal: (81) 32635
> Alt: +1.613.693.0684x3545