The audit system is perfectly capable of logging all users' commands without pam_tty_audit
, which only logs terminal keystrokes. You should set up auditing to do this instead of pam_tty_audit
. By default on RHEL 8 auditing is already enabled and logs many system events.
To configure auditing to log all user commands, edit the file /etc/audit/rules.d/audit.rules
. First, since you need syscall auditing, comment out the existing line:
## This suppresses syscall auditing for all tasks started
## with this rule in effect. Remove it if you need syscall
## auditing.
# -a task,never
Now add for auditing 64-bit and 32-bit commands:
-a exit,always -F arch=b64 -S execve -k auditcmd
-a exit,always -F arch=b32 -S execve -k auditcmd
Note that here, auditcmd
is a key with which you can search the audit logs with ausearch
. You can change this to anything you like.
Kill and restart auditd. Note that it needs to be killed manually by root; the systemd unit will not let you stop or restart it.
# killall auditd; systemctl start auditd
Now run a few commands, and then you can use ausearch
to see them in the audit log.
# ausearch -k auditcmd # you can use additional filters; see the man page
...
time->Fri Oct 2 15:39:03 2020
type=PROCTITLE msg=audit(1601667543.738:64335): proctitle=636174002F6574632F61756469742F72756C65732E642F61756469742E72756C6573
type=PATH msg=audit(1601667543.738:64335): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=214448 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1601667543.738:64335): item=0 name="/usr/bin/cat" inode=201558633 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1601667543.738:64335): cwd="/root"
type=EXECVE msg=audit(1601667543.738:64335): argc=2 a0="cat" a1="/etc/audit/rules.d/audit.rules"
type=SYSCALL msg=audit(1601667543.738:64335): arch=c000003e syscall=59 success=yes exit=0 a0=558ba44ba550 a1=558ba42da110 a2=558ba4472790 a3=8 items=2 ppid=4070001 pid=1516048 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="auditcmd"
----
time->Fri Oct 2 15:39:06 2020
type=PROCTITLE msg=audit(1601667546.102:64336): proctitle=6175736561726368002D6B006175646974636D64
type=PATH msg=audit(1601667546.102:64336): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=214448 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1601667546.102:64336): item=0 name="/usr/sbin/ausearch" inode=2004931 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1601667546.102:64336): cwd="/root"
type=EXECVE msg=audit(1601667546.102:64336): argc=3 a0="ausearch" a1="-k" a2="auditcmd"
type=SYSCALL msg=audit(1601667546.102:64336): arch=c000003e syscall=59 success=yes exit=0 a0=558ba4476360 a1=558ba44aa840 a2=558ba4472790 a3=8 items=2 ppid=4070001 pid=1516273 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="ausearch" exe="/usr/sbin/ausearch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="auditcmd"
You can see that all of the information about the command is logged, including its arguments, working directory, user/group, SELinux context, and much more. If you just want the command, that's in the EXECVE line. It's also encoded in hex in the PROCTITLE line, which you can feed to a hex decoder.
See also RHEL KB article How to audit all commands run in the system?