How to configure PAM to Audit Login Shell User Activity on Linux

The audit system uses the pam_tty_audit PAM module to enable or disable auditing of TTY input for specific user or all users. When the audited user logs in, pam_tty_audit module records the exact keystrokes the user types on keyboard and writes them to /var/log/audit/audit.log file. This article describes on How to configure PAM to Audit Login Shell User Activity on Linux.

Topic

• How to configure PAM to Audit login Shell User Activity?

• How to audit Linux shell built-in executed commands?

• How to audit all terminal executed commands?

• How to audit all command executed in Linux shell?

• How to monitor all Linux users?

Solution

pam_tty module works with the auditd daemon, so we need to make sure the auditd daemon is started and enabled before configuring pam_tty_audit. Refer to the following steps for configuration.

• Modify /etc/pam.d/system-auth and /etc/pam.d/password-auth files then add list of users to enable or disable terminal auditing.

# Audit all users and disable auditing for  user1,user2
session required pam_tty_audit.so disable=user1,user2 enable=*

# Audit user1,user2,user3 and disable tty auditing for all other users. 
session required pam_tty_audit.so disable=* enable=user1,user2,user3

# Audit all users  
session required pam_tty_audit.so enable=*

• By default, pam_tty_audit does NOT log keystrokes when the TTY is in password entry mode. Logging can be re-enabled by adding the log_passwd option along with the other options using following format.

  session required pam_tty_audit.so disable=user1,user2 enable=* log_passwd

Sample PAM configuration for terminal auditing

• Configuration in /etc/pam.d/system-auth file.

# cat /etc/pam.d/system-auth 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_tty_audit.so enable=* disable=user1  ### <<<<<<<<<<<<<<<<<<<<<<<<<<<
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

• Configuration in /etc/pam.d/password-auth file.

# cat /etc/pam.d/password-auth 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_tty_audit.so enable=* disable=user1    ### <<<<<<<<<<<<<<<<<<<<<<<<<<<
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Validate PAM tty audit configuration

# aureport --tty 
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 09/13/2019 22:30:36 133 0 ? 1 bash "> /va",<tab>,"log",<tab>,"aud",<tab>,<backspace>,<tab>,<tab>,<ret>
2. 09/13/2019 22:30:36 134 0 ? 1 ? "> /var/log/audit/audit.log "
3. 09/13/2019 22:30:38 135 0 ? 1 bash <^L>,<up>,<up>,<ret>
4. 09/13/2019 22:30:38 136 0 ? 1 ? "aureport --tty"
5. 09/13/2019 22:31:28 137 0 ? 1 bash "df -h",<ret>
6. 09/13/2019 22:31:28 138 0 ? 1 ? "df -h"
7. 09/13/2019 22:34:51 236 1001 ? 4 bash <^L>,"df -h",<ret>,"ls /tmp",<ret>,"ls /root",<ret>,"ls /etc",<ret>,<^L>,"df -h",

In the above report, 1 – 6 reports are generated for root account and number 7 is for 1001(user2) account. Generally each bash keystrokes by root account are logged in separate line however regular user’s complete command history are saved in a single line when that user logs out. We can see that root account has executed df -h, > /var/log/audit/audit.log commands and the regular user 1001 has executed bash ,df -h, ls /tmp, df -h, etc commands.

To search for TTY input logs recorded with time stamps equal to or after a specific time, use the -ts to specify the start date/time and -te to set the end date/time.

# aureport --tty -ts 09/14/2019 00:00:00 -te 09/15/2019 23:00:00
# aureport --tty -ts this-week

Refer to pam_tty_audit man page for more information

$ man pam_tty_audit