5

Currently, we use Snoopy to monitor all commands issued by users on some externally accessible servers. We're in the process of updating everything to RHEL8 to ensure supportability and compliance, and discovered that my beloved Snoopy is no longer maintained. So it won't pass the compliance audit and needs to be replaced.

I looked into using auditd to do it, by enabling "pam_tty_audit.so" in system-auth and password-auth. This did the trick, but the output is, well let's just say it's less then desirable. Not to mention basically unreadable.

I tried setting-up /etc/profile to log by adding this...

function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG

And adding this to /etc/rsyslog.conf

local1.* -/var/log/cmdline

It works GREAT! But the solution was declined because it can be overridden by users.

I even tried using rootsh as a shell for users and logging that. Logs well, but there's no time/date stamps on it. So not acceptable.

So back to the question at hand. I need a replacement for Snoopy, that logs EVERY command executed, in a readable format with time/stamps, that users cannot override.

Any thoughts?

Egyas
  • 121
  • 1
  • 10
  • Eh? `pam_tty_audit` output is quite readable, if you do it correctly, as documented, with `aureport --tty` plus any filtering options you wish. – Michael Hampton Oct 02 '20 at 00:45
  • Our log output is crazy. Here's a small example... 29. 09/30/2020 18:27:51 126 1000 ? 3 view "G",,,,,,,,,,,,,,,,,":q", 30. 09/30/2020 18:27:58 127 0 ? 1 bash "su - y",,"test_user2",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"sesta",,,"exit", – Egyas Oct 02 '20 at 18:12
  • So far I have been unsuccessful in finding ways to turn the output. – Egyas Oct 02 '20 at 18:12
  • Someone used the arrow keys a lot. This is pretty normal. I don't know how the old snoopy logged the use of arrow keys, but it probably wasn't quite as readable as this. – Michael Hampton Oct 02 '20 at 18:13
  • Our snoopy config didn't log arrows, tabs, etc. Only completed commands. Honestly, that's what I'm trying to replicate is the logging of the user's commands. As to the arrow keys junkie, guilty as charged! That was me. After all, why type a 7 character command, when you can press "up" 12 times? lol – Egyas Oct 02 '20 at 18:35

1 Answers1

3

The audit system is perfectly capable of logging all users' commands without pam_tty_audit, which only logs terminal keystrokes. You should set up auditing to do this instead of pam_tty_audit. By default on RHEL 8 auditing is already enabled and logs many system events.

To configure auditing to log all user commands, edit the file /etc/audit/rules.d/audit.rules. First, since you need syscall auditing, comment out the existing line:

## This suppresses syscall auditing for all tasks started
## with this rule in effect.  Remove it if you need syscall
## auditing.
# -a task,never

Now add for auditing 64-bit and 32-bit commands:

-a exit,always -F arch=b64 -S execve -k auditcmd
-a exit,always -F arch=b32 -S execve -k auditcmd

Note that here, auditcmd is a key with which you can search the audit logs with ausearch. You can change this to anything you like.

Kill and restart auditd. Note that it needs to be killed manually by root; the systemd unit will not let you stop or restart it.

# killall auditd; systemctl start auditd

Now run a few commands, and then you can use ausearch to see them in the audit log.

# ausearch -k auditcmd    # you can use additional filters; see the man page
...
time->Fri Oct  2 15:39:03 2020
type=PROCTITLE msg=audit(1601667543.738:64335): proctitle=636174002F6574632F61756469742F72756C65732E642F61756469742E72756C6573
type=PATH msg=audit(1601667543.738:64335): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=214448 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1601667543.738:64335): item=0 name="/usr/bin/cat" inode=201558633 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1601667543.738:64335): cwd="/root"
type=EXECVE msg=audit(1601667543.738:64335): argc=2 a0="cat" a1="/etc/audit/rules.d/audit.rules"
type=SYSCALL msg=audit(1601667543.738:64335): arch=c000003e syscall=59 success=yes exit=0 a0=558ba44ba550 a1=558ba42da110 a2=558ba4472790 a3=8 items=2 ppid=4070001 pid=1516048 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="auditcmd"
----
time->Fri Oct  2 15:39:06 2020
type=PROCTITLE msg=audit(1601667546.102:64336): proctitle=6175736561726368002D6B006175646974636D64
type=PATH msg=audit(1601667546.102:64336): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=214448 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1601667546.102:64336): item=0 name="/usr/sbin/ausearch" inode=2004931 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1601667546.102:64336): cwd="/root"
type=EXECVE msg=audit(1601667546.102:64336): argc=3 a0="ausearch" a1="-k" a2="auditcmd"
type=SYSCALL msg=audit(1601667546.102:64336): arch=c000003e syscall=59 success=yes exit=0 a0=558ba4476360 a1=558ba44aa840 a2=558ba4472790 a3=8 items=2 ppid=4070001 pid=1516273 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ausearch" exe="/usr/sbin/ausearch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="auditcmd"

You can see that all of the information about the command is logged, including its arguments, working directory, user/group, SELinux context, and much more. If you just want the command, that's in the EXECVE line. It's also encoded in hex in the PROCTITLE line, which you can feed to a hex decoder.

See also RHEL KB article How to audit all commands run in the system?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940