4

I am trying to setup a robust auditing mechanism on my centos 6.x boxes. I tried and tested various auditing tools like

  • auditd
  • aide
  • psacct

But none is full filling my requirement. My requirement is quite simple and I know one auditing system will not serve all and i may have to use different audit systems all together. I want to

  • Monitor all the commands run by a user

psacct is doing this perfectly but it tells only command run by the user and not the arguments passed to the command. ie if user runs vim /erc/passwd, then lastcomm <username> will only tell that vim command was run but do not tell which file was actually edited.

And auditd tells that e.g. the vim command was run and a particular file was edited but do not tell who edited the file.

Suppose I run a command as a sudo user, then it won't tell me which user edited the particular file if there are 10 sudo users as gid and uid will be of superuser in output of the command:

time->Sat Jun 20 15:52:45 2015
type=PATH msg=audit(1434795765.057:54685): item=4 name="/etc/passwd" inode=152790 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
type=PATH msg=audit(1434795765.057:54685): item=3 name="/etc/passwd" inode=152786 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1434795765.057:54685): item=2 name="/etc/passwd+" inode=152790 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
type=PATH msg=audit(1434795765.057:54685): item=1 name="/etc/" inode=130562 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1434795765.057:54685): item=0 name="/etc/" inode=130562 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=CWD msg=audit(1434795765.057:54685):  cwd="/etc"
type=SYSCALL msg=audit(1434795765.057:54685): arch=c000003e syscall=82 success=yes exit=0 a0=7fffba897300 a1=7fd7cc94ece0 a2=7fffba8971c0 a3=0 items=5 ppid=14041 pid=14043 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8494 comm="useradd" exe="/usr/sbin/useradd" key=(null)
  • Would Like to track actual changes made to the file

The aide tool tells that a file has been modified, but how can I get details of the content that is actually modified and which user did the modification?

sebix
  • 4,175
  • 2
  • 25
  • 45
thinkingmonster
  • 171
  • 3
  • You're asking a couple of different questions here. First user auditing through what commands are being run. I'm pretty sure we can do that with auditd but I'll have to do some research. The other question is a file auditing through a FIM. I'd split these out for better results. Also check out pur sister site for Information Security folks at http://security. stackexchange.com – Scott Pack Jun 20 '15 at 12:30
  • Commands call other commands. When a user runs a program or a script, often times, dozens of separate processes may run before the original command exits. Is it your desire to record all of these, or just the initial parent process? – JeffG Jun 20 '15 at 14:03
  • @ScottPack yes i want to do both record file changes ans all commands run by a user. – thinkingmonster Jun 21 '15 at 03:57
  • @JeffG i i am interested only in parent process. – thinkingmonster Jun 21 '15 at 03:58

1 Answers1

3

You can implement this using auditd and a pam module. You need to load the pam module pam_tty_audit under session like

session required pam_tty_audit.so disable=testuser1 enable=testuser,root

in both /etc/pam.d/password-auth and /etc/pam.d/system-auth files.

and then the key stroke of the enabled users will get logged into the audit log.

When generating the audit report use -i option with aureport to exactly get the username.

eg: aureport --tty -i -ts today

One drawback of this method is all keystrokes will get logged including the passwords entered in the terminal.

For tracking file changed aide can be used. This uses a checksum verification method. But exact line changed in the file is not traceable.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
Bhuvanesh Bhuvanachandran
  • 31
  • 2
  • Hi Bhuvanesh ! It is really inspiring! However, I got empty records with a trial on logging root activities with `session required pam_tty_audit.so enable=root` line in the two files you mentioned. What else should be done to enact the logging? I have already executed `service auditd restart`. – George Y Sep 07 '21 at 11:19