Friday, 21 June 2013

logging all users commands on linux terminal via ssh - Linux tty auditing/loggin/session watch - user activity


Linux tty auditing/loggin/session watch


Posted on 21-june-2013 By Sarang Acharya
Since RHEL 5.4 and higher versions, and in recent Fedora releases, it’s possible to audit what users type at their tty (command prompt).

Edit /etc/pam.d/system-auth and /etc/pam.d/sshd then append the following,

session required pam_tty_audit.so disable=* enable=root,testuser,user2,john


Wait for users to log in and type into a terminal. Later, to see audited tty input, run:


# aureport --tty

When a user logs in, the pam module tells the kernel to enable tty auditing for a process and its children. All tty input is logged, but it may not be incredibly easy to read (it includes backspaces, control characters, etc.). I’m unclear as to when and how often the kernel flushes out accumulated tty input to the audit log. The records are identified with a type of TTY in /var/log/audit/audit.log.
In addition to tty auditing, RedHat patched their bash shell so that it neatly audits each and every command line it executes, with a record type of USER_TTY. It’s prettier to read than raw tty auditing — and it’s easy for a user to bypass by using a shell that doesn’t send its commands to the Linux audit system, like zsh, or a custom-built unpatched bash. Maybe that’s why “aureport –tty” doesn’t show USER_TTY records.

The Linux auditing system is powerful. It’s possible to write rules that watch for modification to certain files, or that log the use of certain system calls. See the “audit.rules” manpage for more information.