On 2/8/2022 5:12 PM, André Letterer wrote:
Yes, history is a bash internal command and that's why I opened initally this thread because I wanted to know if there is any chance to track internal bash commands like history as well via auditd. For now it seems pam_tty_audit doesn't do the job.
Audit tracks security relevant events. Invoking a built-in command such as history, export or set does not involve any security relevant events. Invoking a built-in simply sends the existing shell process down a specified code path. There's no audit record because there's nothing happening to audit.
*Gesendet:* Mittwoch, 09. Februar 2022 um 02:09 Uhr *Von:* "Casey Schaufler" <[email protected]> *An:* "André Letterer" <[email protected]>, "Richard Guy Briggs" <[email protected]> *Cc:* [email protected] *Betreff:* Re: How to configure auditd to register like internal bash commands? On 2/8/2022 4:24 PM, André Letterer wrote: > Yeah, it's a very good start. > However it seems it still doesn't do what I want. > It seems only changing the 2 files doesn't do the job: > nano /etc/pam.d/system-auth > session required pam_tty_audit.so disable=* enable=logs log_passwd > nano /etc/pam.d/password-auth > session required pam_tty_audit.so disable=* enable=logs log_passwd > I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. > However unfortunately commands like "history -c" don't still trigger an entry... There are a significant number of commands that are shell built-ins, including "history". > Is there still a follow-up idea on this? > *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr > *Von:* "Richard Guy Briggs" <[email protected]> > *An:* "André Letterer" <[email protected]> > *Cc:* [email protected] > *Betreff:* Re: How to configure auditd to register like internal bash commands? > On 2022-02-07 23:37, André Letterer wrote: > > Hi folks, > > > > I would like to have some help on configuring auditd for very short > > running commands like > > unset ... > > set ... > > export ... > > history -c > > > > or similar commands. > > How would that be possible? > > Would you mind please to help me on some knowledge about that? > > You may want to look into pam_tty_audit, but it may flood your logs. > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > -- > Linux-audit mailing list > [email protected] > https://listman.redhat.com/mailman/listinfo/linux-audit
-- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
