The audit system uses the pam_tty_audit PAM module to enable or disable auditing of TTY input for specific user or all users. When the audited user logs in, pam_tty_audit module records the exact keystrokes the user types on keyboard and writes them to
/var/log/audit/audit.log
file. This article describes on How to configure PAM to Audit Login Shell User Activity on Linux.
Topic
-
How to configure PAM to Audit login Shell User Activity?
-
How to audit Linux shell built-in executed commands?
-
How to audit all terminal executed commands?
-
How to audit all command executed in Linux shell?
-
How to monitor all Linux users?
Solution
pam_tty module works with the auditd daemon, so we need to make sure the auditd daemon is started and enabled before configuring pam_tty_audit
. Refer to the following steps for configuration.
- Modify
/etc/pam.d/system-auth
and/etc/pam.d/password-auth
files then add list of users to enable or disable terminal auditing.
# Audit all users and disable auditing for user1,user2
session required pam_tty_audit.so disable=user1,user2 enable=*
# Audit user1,user2,user3 and disable tty auditing for all other users.
session required pam_tty_audit.so disable=* enable=user1,user2,user3
# Audit all users
session required pam_tty_audit.so enable=*
- By default, pam_tty_audit does NOT log keystrokes when the TTY is in password entry mode. Logging can be re-enabled by adding the log_passwd option along with the other options using following format.
session required pam_tty_audit.so disable=user1,user2 enable=* log_passwd
Sample PAM configuration for terminal auditing
- Configuration in
/etc/pam.d/system-auth
file.
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_tty_audit.so enable=* disable=user1 ### <<<<<<<<<<<<<<<<<<<<<<<<<<<
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
- Configuration in
/etc/pam.d/password-auth
file.
# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_tty_audit.so enable=* disable=user1 ### <<<<<<<<<<<<<<<<<<<<<<<<<<<
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Validate PAM tty audit configuration
# aureport --tty
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 09/13/2019 22:30:36 133 0 ? 1 bash "> /va",<tab>,"log",<tab>,"aud",<tab>,<backspace>,<tab>,<tab>,<ret>
2. 09/13/2019 22:30:36 134 0 ? 1 ? "> /var/log/audit/audit.log "
3. 09/13/2019 22:30:38 135 0 ? 1 bash <^L>,<up>,<up>,<ret>
4. 09/13/2019 22:30:38 136 0 ? 1 ? "aureport --tty"
5. 09/13/2019 22:31:28 137 0 ? 1 bash "df -h",<ret>
6. 09/13/2019 22:31:28 138 0 ? 1 ? "df -h"
7. 09/13/2019 22:34:51 236 1001 ? 4 bash <^L>,"df -h",<ret>,"ls /tmp",<ret>,"ls /root",<ret>,"ls /etc",<ret>,<^L>,"df -h",
In the above report, 1 – 6 reports are generated for root account and number 7 is for 1001(user2) account. Generally each bash keystrokes by root account are logged in separate line however regular user’s complete command history are saved in a single line when that user logs out. We can see that root account has executed df -h, > /var/log/audit/audit.log commands and the regular user 1001 has executed bash ,df -h, ls /tmp, df -h, etc commands.
To search for TTY input logs recorded with time stamps equal to or after a specific time, use the -ts to specify the start date/time and -te to set the end date/time.
# aureport --tty -ts 09/14/2019 00:00:00 -te 09/15/2019 23:00:00
# aureport --tty -ts this-week
Refer to pam_tty_audit man page for more information
$ man pam_tty_audit