How to configure PAM to Audit Login Shell User Activity on Linux

The audit system uses the pam_tty_audit PAM module to enable or disable auditing of TTY input for specific user or all users. When the audited user logs in, pam_tty_audit module records the exact keystrokes the user types on keyboard and writes them to /var/log/audit/audit.log file. This article describes on How to configure PAM to Audit Login Shell User Activity on Linux.

Topic

  • How to configure PAM to Audit login Shell User Activity?
  • How to audit Linux shell built-in executed commands?
  • How to audit all terminal executed commands?
  • How to audit all command executed in Linux shell?
  • How to monitor all Linux users?


Solution


pam_tty module works with the auditd daemon, so we need to make sure the auditd daemon is started and enabled before configuring pam_tty_audit. Refer to the following steps for configuration.

  • Modify /etc/pam.d/system-auth and /etc/pam.d/password-auth files then add list of users to enable or disable terminal auditing.
# Audit all users and disable auditing for  user1,user2
session required pam_tty_audit.so disable=user1,user2 enable=*

# Audit user1,user2,user3 and disable tty auditing for all other users. 
session required pam_tty_audit.so disable=* enable=user1,user2,user3

# Audit all users  
session required pam_tty_audit.so enable=*

  • By default, pam_tty_audit does NOT log keystrokes when the TTY is in password entry mode. Logging can be re-enabled by adding the log_passwd option along with the other options using following format.
  session required pam_tty_audit.so disable=user1,user2 enable=* log_passwd


Sample PAM configuration for terminal auditing
  • Configuration in /etc/pam.d/system-auth file.
# cat /etc/pam.d/system-auth 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_tty_audit.so enable=* disable=user1  ### <<<<<<<<<<<<<<<<<<<<<<<<<<<
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

  • Configuration in /etc/pam.d/password-auth file.
# cat /etc/pam.d/password-auth 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_tty_audit.so enable=* disable=user1    ### <<<<<<<<<<<<<<<<<<<<<<<<<<<
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Validate PAM tty audit configuration
# aureport --tty 
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 09/13/2019 22:30:36 133 0 ? 1 bash "> /va",<tab>,"log",<tab>,"aud",<tab>,<backspace>,<tab>,<tab>,<ret>
2. 09/13/2019 22:30:36 134 0 ? 1 ? "> /var/log/audit/audit.log "
3. 09/13/2019 22:30:38 135 0 ? 1 bash <^L>,<up>,<up>,<ret>
4. 09/13/2019 22:30:38 136 0 ? 1 ? "aureport --tty"
5. 09/13/2019 22:31:28 137 0 ? 1 bash "df -h",<ret>
6. 09/13/2019 22:31:28 138 0 ? 1 ? "df -h"
7. 09/13/2019 22:34:51 236 1001 ? 4 bash <^L>,"df -h",<ret>,"ls /tmp",<ret>,"ls /root",<ret>,"ls /etc",<ret>,<^L>,"df -h",

In the above report, 1 – 6 reports are generated for root account and number 7 is for 1001(user2) account. Generally each bash keystrokes by root account are logged in separate line however regular user’s complete command history are saved in a single line when that user logs out. We can see that root account has executed df -h, > /var/log/audit/audit.log commands and the regular user 1001 has executed bash ,df -h, ls /tmp, df -h, etc commands.

To search for TTY input logs recorded with time stamps equal to or after a specific time, use the -ts to specify the start date/time and -te to set the end date/time.

# aureport --tty -ts 09/14/2019 00:00:00 -te 09/15/2019 23:00:00
# aureport --tty -ts this-week

Refer to pam_tty_audit man page for more information

$ man pam_tty_audit


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *