Sent from Huawei Mobile zhu xiuming <[email protected]> wrote:
>Thanks a lot. > >I think it is better to use audit for me because it is also not so easy to >get a third-party software installed on our hosts. >Maybe I am considering how to scrutinize good audit rules of watching >"execv". > >Thanks a lot > > >On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <[email protected]> wrote: > >> Hi,**** >> >> ** ** >> >> What’s the “best way to do it” is dependent on your system.**** >> >> ** ** >> >> That said, I can offer two non-audit suggestions.**** >> >> ** ** >> >> One I call the “Old Shell Game”. Stick this bash code in in the >> appropriate system wide bash file:**** >> >> ** ** >> >> function log**** >> >> ** ** >> >> {**** >> >> ** ** >> >> typeset x**** >> >> ** ** >> >> x=$(history 1 | cut -f 5-)**** >> >> ** ** >> >> logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"**** >> >> ** ** >> >> }**** >> >> ** ** >> >> trap log DEBUG**** >> >> ** ** >> >> And you get things like this in your syslog:**** >> >> ** ** >> >> Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su***** >> >> Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v >> grep**** >> >> Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc –l ** >> ** >> >> Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort | >> more**** >> >> ** ** >> >> Is this easy to defeat? Yup. But it will let you get experiment with >> command logging and see if it’s really of any benefit to you.**** >> >> ** ** >> >> Another is use the program called “snoopy” available at >> http://sourceforge.net/projects/snoopylogger/**** >> >> ** ** >> >> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. ** >> ** >> >> ** ** >> >> Once you’ve got it in place you get output like this:**** >> >> ** ** >> >> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1 >> cwd:/root filename:/bin/uname]: uname –a**** >> >> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1 >> cwd:/root filename:/bin/ps]: ps –ef**** >> >> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1 >> cwd:/root filename:/bin/ps]: ps -ef **** >> >> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root >> filename:/bin/grep]: grep audit **** >> >> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root >> filename:/bin/grep]: grep -v grep **** >> >> ** ** >> >> It’s not as easy to circumvent as the above bash code. As a suggestion >> based on experience, don’t put snoopy into affect until after the system is >> up. You really don’t want to log all the commands root does in the process >> of starting up a system.**** >> >> ** ** >> >> I hope this helps.**** >> >> ** ** >> >> Best regards,**** >> >> ** ** >> >> Gary Smith**** >> >> Information System Security Officer**** >> >> Pacific Northwest National Laboratory**** >> >> ** ** >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *zhu xiuming >> *Sent:* Wednesday, October 09, 2013 3:11 PM >> *To:* Steve Grubb >> *Cc:* Richard Guy Briggs; [email protected] >> *Subject:* Re: how to use auditd to record all user command history**** >> >> ** ** >> >> Thanks. **** >> >> I know the kernel do the most work. So, I can't use pam_tty_audit for our >> hosts. **** >> >> However, I still hope to record user command history. I just wonder what >> is the best way to do it. >> >> **** >> >> ** ** >> >> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <[email protected]> wrote:**** >> >> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote: >> > So, if I can't update all kernels (the cost will be very high), is there >> > any other way to resolve this issue?**** >> >> The kernel is what does all the heavy work in the audit system. Auditd only >> records to disk, pam_tty_audit and auditctl tell the kernel what they are >> interested in. But all the action is in the kernel, not user space. >> >> -Steve**** >> >> >> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <[email protected]> >> wrote: >> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote: >> > > > Thanks for your reply. >> > > > Currently, our Linux kernel versions are mostly Redhat >> 2.6.18-xxx.el5. I >> > > > wonder whether it supports this feature. >> > > >> > > The log_passwd feature has not been backported to RHEL5 because the >> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to >> say >> > > it is not supported in your system. >> > > >> > > An upgrade is necessary. >> > > >> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <[email protected]> >> > > >> > > wrote: >> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote: >> > > > > > This is correct. The problem is, this records every keystrokes >> and >> > > >> > > even >> > > >> > > > > > the password of the users. While I only care about the user >> command >> > > > > > history, I surely do not want to know their passwords. >> > > > > >> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam >> > > > > (1.1.8+) to not record passwords by default. If you want the old >> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd" >> > > > > >> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan < >> > > >> > > [email protected] >> > > >> > > > > >wrote: >> > > > > > > Does pam_tty_audit with enable=* not do what you want? >> > > > > > > >> > > > > > > Trevor >> > > > > > > >> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming < >> [email protected]> >> > > > > >> > > > > wrote: >> > > > > > >> HI >> > > > > > >> I know this seems an old topic. But unfortunately, I can't >> find a >> > > > > > >> solution for this. I have googled long time. I tried following >> > > > > >> > > > > options: >> > > > > > >> 1. audit execv syscall, >> > > > > > >> >> > > > > > >> this does record every command typed any tty. However, it >> > > > > >> > > > > generates >> > > > > >> > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently >> > > >> > > called >> > > >> > > > > that >> > > > > >> > > > > > >> the system can't afford to log every call of it and it crashes >> > > > > > >> !!! >> > > > > > >> >> > > > > > >> 2. use *pam_tty_audit.so >> > > > > > >> * >> > > > > > >> this makes it possible to record one or two users, not all >> users. >> > > >> > > * >> > > >> > > > > > >> * >> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need >> > > >> > > other >> > > >> > > > > > >> tools ?* >> > > > > > >> >> > > > > > >> * >> > > > > > >> *Thanks a lot >> > > > > > > >> > > > > > > Trevor Vaughan >> > > > > >> > > > > - RGB >> > > >> > > - RGB >> > > >> > > -- >> > > Richard Guy Briggs <[email protected]> >> > > Senior Software Engineer >> > > Kernel Security >> > > AMER ENG Base Operating Systems >> > > Remote, Ottawa, Canada >> > > Voice: +1.647.777.2635 >> > > Internal: (81) 32635 >> > > Alt: +1.613.693.0684x3545**** >> >> ** ** >> > >-- >Linux-audit mailing list >[email protected] >https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
