Slashzerø » pam http://www.slashzero.com Random and Useless Thoughts on Everything Wed, 31 Mar 2010 20:46:18 +0000 en hourly 1 http://wordpress.org/?v=3.0 Shell session logging http://www.slashzero.com/2009/11/shell-session-logging/ http://www.slashzero.com/2009/11/shell-session-logging/#comments Sun, 22 Nov 2009 00:48:14 +0000 abx21 http://www.slashzero.com/?p=117 [...]]]> pam_tty_audit.so

How come no one ever told me about this!  A while ago we were tasked to find a way to log all commands executed by root.  I know bash_history is easily manipulated so I spent some time on google trying to find a logging shell, then got distracted by something shiny and forgot all about this task.  Turns out the linux auditing system has a built-in tty logging accounting module that will log all tty sessions!  Just add this to your pam stack (/etc/pam.d/system-auth on redhat and clones):

session required pam_tty_audit.so disable=* enable=root

Then run a few commands as root, and the aureport command will become your friend:

audit]# aureport --tty -ts today
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 11/22/2009 00:07:52 132278 1040 ? 4294962295 bash "hello world",<ret>

UPDATE:

You need a newer version of the audit rpm package, tty info will be collected but aureport does not know how to display them.

https://bugzilla.redhat.com/show_bug.cgi?id=497518

Share/Bookmark

]]> http://www.slashzero.com/2009/11/shell-session-logging/feed/ 0