1
I installed the package audit on my linux red-hat 6.x machine in order to view the recored of each user that log to my linux machine
yum install audit
kit installation from: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-installing_the_audit_packages.html
after installation and restart the audit service as
service auditd start
I follow the audir.log file in order to see the users records
tail -f /var/log/audit/audit.log
but from this log I see only the User IP's and when he login to my linux machine
the records of the linux command that user perfromed not apperars in the audit.log
can some one advice why we not see the history of linux command in audit.log?
example of audit.log
type=USER_START msg=audit(1422876162.936:152): user pid=28114 uid=0 auid=0 ses=74236 msg='op=PAM:session_open acct="root" exe="/usr/sbin/sshd" hostname=10.1.113.35 addr=10.1.113.35 terminal=ssh res=s'
type=USER_LOGIN msg=audit(1422876162.940:153): user pid=28116 uid=0 auid=0 ses=74236 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.1.113.35 addr=10.1.113.35 terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1422876162.940:154): user pid=28116 uid=0 auid=0 ses=74236 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=10.1.113.35 addr=10.1.113.35 terminal=/dev/pts/1 res=success'
type=CRYPTO_KEY_USER msg=audit(1422876162.940:155): user pid=28116 uid=0 auid=0 ses=74236 msg='op=destroy kind=server fp=99:c8:56:79:64:17:0b:67:b5:6c:e9:36:22:8a:b1:88 direction=? spid=28116 suid=0 '
type=CRYPTO_KEY_USER msg=audit(1422876162.940:156): user pid=28116 uid=0 auid=0 ses=74236 msg='op=destroy kind=server fp=6f:b9:bf:4f:84:1f:58:e5:d2:1c:94:1f:11:8e:26:61 direction=? spid=28116 suid=0 '
type=CRED_REFR msg=audit(1422876162.940:157): user pid=28116 uid=0 auid=0 ses=74236 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=10.1.113.35 addr=10.1.113.35 terminal=ssh res=success'
- remark in case this tool Audit can't do the records of each user , please help me to find other tool that can do the Job
This link shows you how to run a script on log-out. You could use this to record the command history file, though that may not be a complete solution. Ideally you would want a modified shell, but since users can invoke other shells you would need modifications to all the shells on the system. – AFH – 2015-02-02T12:36:03.810
I googled Linux shell auditing and found this useful summary.
– AFH – 2015-02-02T12:48:24.237