how to use auditd to record all user command history
Shinoj Gangadharan
sgangadharan at wavecrest.gi
Tue Oct 29 08:33:48 UTC 2013
Hi,
Has the log_passwd feature been backported to RHEL6.4 ?
Regards,
Shinoj.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because
>> > > the pam_tty_audit feature wasn't backported to RHEL5, so I would
>> > > have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs
>> > > > <rgb at redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is, this records every
>> > > > > > keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in
>> > > > > pam
>> > > > > (1.1.8+) to not record passwords by default. If you want the
>> > > > > old behaviour, add the optional argument to pam_tty_audit:
>> > > > > "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan at onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu at gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I
>> > > > > > >> can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried
>> > > > > > >> following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >> this does record every command typed any tty.
>> > > > > > >> However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise. Sometimes, the execv syscall is so
>> > > > > > >> frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it
>> > > > > > >> crashes !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not
>> > > > > > >> all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do
>> > > > > > >> I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs at redhat.com> Senior Software Engineer
>> > > Kernel Security AMER ENG Base Operating Systems Remote, Ottawa,
>> > > Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit at redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list