How to configure auditd to register like internal bash commands?

How to configure auditd to register like internal bash commands?

[André Letterer]

[-- Attachment #1: Type: text/html, Size: 514 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: How to configure auditd to register like internal bash commands?

[Richard Guy Briggs]

On 2022-02-07 23:37, André Letterer wrote:
>    Hi folks,
> 
>    I would like to have some help on configuring auditd for very short
>    running commands like
>    unset ...
>    set ...
>    export ...
>    history -c
> 
>    or similar commands.
>    How would that be possible?
>    Would you mind please to help me on some knowledge about that?

You may want to look into pam_tty_audit, but it may flood your logs.

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: How to configure auditd to register like internal bash commands?

[André Letterer]

[-- Attachment #1: Type: text/html, Size: 2530 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: How to configure auditd to register like internal bash commands?

[Christian, Mark]

On Wed, 2022-02-09 at 01:24 +0100, André Letterer wrote:
> Yeah, it's a very good start.
> However it seems it still doesn't do what I want.
>  
> It seems only changing the 2 files doesn't do the job:
>  
>           nano /etc/pam.d/system-auth
>             session    required     pam_tty_audit.so disable=*
> enable=logs log_passwd
>           nano /etc/pam.d/password-auth
>             session    required     pam_tty_audit.so disable=*
> enable=logs log_passwd
>  
> I get much more entries in /var/log/audit/audit.log for user logs
> like for instance if I su to this one.
>  
> However unfortunately commands like "history -c" don't still trigger
> an entry...
>  
> Is there still a follow-up idea on this?

$ man pam_tty_audit

hint consider removing disable=* and modifying enable=logs to something
else, unless of course the only account you want to tty audit is an
account named "logs".

Mark


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: How to configure auditd to register like internal bash commands?

[Casey Schaufler]

On 2/8/2022 4:24 PM, André Letterer wrote:
> Yeah, it's a very good start.
> However it seems it still doesn't do what I want.
> It seems only changing the 2 files doesn't do the job:
>           nano /etc/pam.d/system-auth
>             session    required     pam_tty_audit.so disable=* enable=logs log_passwd
>           nano /etc/pam.d/password-auth
>             session    required     pam_tty_audit.so disable=* enable=logs log_passwd
> I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one.
> However unfortunately commands like "history -c" don't still trigger an entry...

There are a significant number of commands that are shell built-ins,
including "history".

> Is there still a follow-up idea on this?
> *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr
> *Von:* "Richard Guy Briggs" <rgb@redhat.com>
> *An:* "André Letterer" <andre.letterer@web.de>
> *Cc:* Linux-audit@redhat.com
> *Betreff:* Re: How to configure auditd to register like internal bash commands?
> On 2022-02-07 23:37, André Letterer wrote:
> > Hi folks,
> >
> > I would like to have some help on configuring auditd for very short
> > running commands like
> > unset ...
> > set ...
> > export ...
> > history -c
> >
> > or similar commands.
> > How would that be possible?
> > Would you mind please to help me on some knowledge about that?
>
> You may want to look into pam_tty_audit, but it may flood your logs.
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Aw: Re: How to configure auditd to register like internal bash commands?

[André Letterer]

[-- Attachment #1: Type: text/html, Size: 3657 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Aw: Re: How to configure auditd to register like internal bash commands?

[Casey Schaufler]

On 2/8/2022 5:12 PM, André Letterer wrote:
> Yes, history is a bash internal command and that's why I opened initally this thread because I wanted to know if there is any chance to track internal bash commands like history as well via auditd. For now it seems pam_tty_audit doesn't do the job.

Audit tracks security relevant events. Invoking a built-in
command such as history, export or set does not involve any
security relevant events. Invoking a built-in simply sends the
existing shell process down a specified code path. There's no
audit record because there's nothing happening to audit.

> *Gesendet:* Mittwoch, 09. Februar 2022 um 02:09 Uhr
> *Von:* "Casey Schaufler" <casey@schaufler-ca.com>
> *An:* "André Letterer" <andre.letterer@web.de>, "Richard Guy Briggs" <rgb@redhat.com>
> *Cc:* Linux-audit@redhat.com
> *Betreff:* Re: How to configure auditd to register like internal bash commands?
> On 2/8/2022 4:24 PM, André Letterer wrote:
> > Yeah, it's a very good start.
> > However it seems it still doesn't do what I want.
> > It seems only changing the 2 files doesn't do the job:
> >           nano /etc/pam.d/system-auth
> >             session    required pam_tty_audit.so disable=* enable=logs log_passwd
> >           nano /etc/pam.d/password-auth
> >             session    required pam_tty_audit.so disable=* enable=logs log_passwd
> > I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one.
> > However unfortunately commands like "history -c" don't still trigger an entry...
>
> There are a significant number of commands that are shell built-ins,
> including "history".
>
> > Is there still a follow-up idea on this?
> > *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr
> > *Von:* "Richard Guy Briggs" <rgb@redhat.com>
> > *An:* "André Letterer" <andre.letterer@web.de>
> > *Cc:* Linux-audit@redhat.com
> > *Betreff:* Re: How to configure auditd to register like internal bash commands?
> > On 2022-02-07 23:37, André Letterer wrote:
> > > Hi folks,
> > >
> > > I would like to have some help on configuring auditd for very short
> > > running commands like
> > > unset ...
> > > set ...
> > > export ...
> > > history -c
> > >
> > > or similar commands.
> > > How would that be possible?
> > > Would you mind please to help me on some knowledge about that?
> >
> > You may want to look into pam_tty_audit, but it may flood your logs.
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://listman.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit