41

I want to monitor all user's activity in my server.

Even when the user executes a shell command from some editor like vim I want to see them in the log file.

I have checked the tool acct but it is not listing the complete commands. (Please correct me if I have missed some options which does already).

Which Linux tool I should be looking at to solve this problem?

Ben Campbell
  • 557
  • 4
  • 16
Supratik
  • 2,104
  • 10
  • 49
  • 66

5 Answers5

37

Add this line to your pam config responsible for logins (its system-auth on redhat based distros)

session    required     pam_tty_audit.so enable=*

To find out what was done, you can use.

ausearch -ts <some_timestamp> -m tty -i

This produces an output like this:

 type=TTY msg=audit(11/30/2011 15:38:39.178:12763684) : tty pid=32377 uid=root
 auid=matthew major=136 minor=2 comm=bash data=<up>,<ret>

The only downside to this is is can be a little bit difficult to read, but it is much better than most proposed solutions since in theory it could be used to record an entire session, warts n all.

Edit: Oh and you can use aureport to generate a list that can be more helpful.

# aureport --tty
...
12. 11/30/2011 15:50:54 12764042 501 ? 4294967295 bash "d",<^D>
13. 11/30/2011 15:52:30 12764112 501 ? 4294967295 bash "aureport --ty",<ret>
14. 11/30/2011 15:52:31 12764114 501 ? 4294967295 bash <up>,<left>,<left>,"t",<ret>
Matthew Ife
  • 22,927
  • 2
  • 54
  • 71
  • Thanks for the details. I am using Ubuntu 10.04 LTS When I check the folder /lib/security/ the module is not present but there is a man page present for that module. I think I have hit this bug https://bugs.launchpad.net/ubuntu/+source/pam/+bug/588547 Is there any other way I can install that module ? – Supratik Dec 01 '11 at 07:56
  • The bug report suggests a fix and update was distributed. – Matthew Ife Dec 02 '11 at 10:54
  • @Mlfe I compiled the PAM source code and copied the .so file in /lib/security/ and it worked. Thanks again. – Supratik Dec 04 '11 at 09:02
  • Note that `pam_tty_audit.so` will capture all interactions, *including passwords* – Cameron Kerr Sep 17 '14 at 00:09
  • 1
    @CameronKerr : the password issue is fixed : https://www.redhat.com/archives/linux-audit/2013-May/msg00007.html – Yohann Mar 03 '15 at 10:35
  • 3
    Note, it's worth mentioning that for the above to work the `auditd` daemon needs to be enabled first (it wasn't by default on my CentOS 6.7 install). To start the daemon, use: `service auditd start`, and to make this change persistent (after reboots), use `chkconfig auditd on` Source: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Configuring_PAM_for_Auditing.html and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-starting_the_audit_service.html – jonny Jan 07 '16 at 10:47
  • I was going to ask 'why do we need this', but by default, the kernel does not audit input on any TTY. https://linux.die.net/man/8/pam_tty_audit – jouell May 27 '17 at 02:26
  • `tty is an unsupported option` – L29Ah Nov 01 '18 at 19:49
  • @L29Ah no its not, on CentOS 6 it is there. Not sure what distro you're rolling out for that not to be a supported option. – Matthew Ife Nov 01 '18 at 19:54
9

The best solution to your problem would be Linux' built-in audit system. Use man 8 auditd or check this page for more information: http://linux.die.net/man/8/auditd.

Also, you can check this tutorial - while it is slightly out of the scope of your question, it shows how the audit system works.

Vladimir Blaskov
  • 6,073
  • 1
  • 26
  • 22
4

A lesser known trick, but easily the most awesome is just to use the built-in audit capabilities of sudo. Sudo ships with a sudoreplay command that makes replaying sessions easy. It will even relay vim sessions (as you suggest).

Here's how to use it in a few easy steps:

  1. Install sudosh on your system; this is a shell wrapper around the sudo command that makes a user sudo themselves (not root) and can be used as a system login shell
  2. Enable sudo logging. Edit /etc/sudoers.d/sudosh: Defaults log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!/sbin/reboot !log_output

  3. Add this command to /etc/shells to permit logins using it: /usr/bin/sudosh

    Tip: to prevent users from using other shells to login, remove those other shells from /etc/shells.

  4. Update the user foobar to use the sudosh shell. chsh -s /usr/bin/sudosh foobar

For more detailed information, see: https://github.com/cloudposse/sudosh/

3

You could use snoopy.

It is a simple command logging library, and not a proper audit solution (easily circumvented). Disclosure: I am current snoopy maintainer.

  • Can you provide a smart way to set the environment so that it cannot get circumvented? – George Y Sep 07 '21 at 10:35
  • @GeorgeY, no. If you need an actual accounting solution (non-circumventable), use an appropriate tool for that, like auditd-based mechanism mentioned above (or anything else that is kernel-based, which Snoopy isn't). – Bostjan Skufca Jese Sep 07 '21 at 23:47
1

here's a magic solution : http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html

  • yum install psacct (redhat)
  • sudo apt-get install acct

you ca display statistic about user commands/connection etc..

List all commands invoked by a given user ...

Search the accounting logs by command name: $ lastcomm rm $ lastcomm passwd

and so on, for more informations please visit the above link ..