Description of problem: Ref.235021 - If the only way to enable the auditing is to maintain a separate package can we get a bash-audit package built at RH instead of trying to maintain one on our own? Version-Release number of selected component (if applicable): bash-3.2-24.el5
This feature would very much be useful to us. I'd like to see this package included or added as well.
Useful here too; unclear why the feature was added without making it available without a custom rebuild.
Yep. It's good idea. It will be in Fedora 11 and then in RHEL6.
At second look the bash auditing is (should be) enabled. Try this: - append to /etc/pam.d/system-auth: session required pam_tty_audit.so disable=* enable=root - as root => chars entered in audit.log - as non-root: no chars entered If this is ok, I think there's no need to separate packages with and without enabled auditing.
This seems like it logs just fine to /var/log/audit/audit.log, however I'm a bit unsure of how to extract the audited information from the audit log with aureport. Is there an option to pass for bash audit reporting?
I added the line to /etc/pam.d/system-auth, and I get the following: [root@ss-5-89 ~]# vim /etc/sysconfig/iptables [root@ss-5-89 ~]# tail -5 /var/log/audit/audit.log type=TTY msg=audit(1234239611.005:2317): tty pid=15771 uid=0 auid=500 major=136 minor=21 comm="bash" data=636174202F6574632F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F76696D202F6574632F737973636F6E7F66097F6E6609697074090D type=USER_TTY msg=audit(1234239611.005:2318): user pid=15771 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg=76696D202F6574632F737973636F6E6669672F69707461626C6573 type=TTY msg=audit(1234239613.702:2319): tty pid=15836 uid=0 auid=500 major=136 minor=21 comm="vim" data=1B5B3E303B3133363B30633A71210D type=TTY msg=audit(1234239632.197:2320): tty pid=15771 uid=0 auid=500 major=136 minor=21 comm="bash" data=7461696C202F7661722F6C6F672F617564096175091B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B442D35200D type=USER_TTY msg=audit(1234239632.197:2321): user pid=15771 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg=7461696C202D35202F7661722F6C6F672F61756469742F61756469742E6C6F67 [root@ss-5-89 ~]# So I can see what pid launched vim, and use that to track what user ran it... but I have no idea what file was edited. Is this what the patch provided in 235021 enables? For some reason I thought it was going to be a lot more for PCI compliance. If this is it though, I'll go ahead and close the RFE.
Created attachment 331422 [details] Decode the hexadecimal representation used in audit logs The quoted log contains specific information in the 'data' and 'msg' fields, I'm afraid the audit tools in RHEL5.3 do not support extraction of the information yet. The output of (ausearch -i) on the above input data will return something like: type=TTY msg=audit(10.2.2009 05:20:11.005:2317) : tty pid=15771 uid=root auid=mitr major=136 minor=21 comm=bash data="cat /etc/",<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"vim /etc/syscon",<backspace>,"f",<tab>,<backspace>,"nf",<tab>,"ipt",<tab>,<ret> type=USER_TTY msg=audit(10.2.2009 05:20:11.005:2318) : user pid=15771 uid=root auid=mitr subj=user_u:system_r:unconfined_t:s0 msg="vim /etc/sysconfig/iptables" type=TTY msg=audit(10.2.2009 05:20:13.702:2319) : tty pid=15836 uid=root auid=mitr major=136 minor=21 comm=vim data=,<esc>,"[>0;136;0c:q!",<ret> type=TTY msg=audit(10.2.2009 05:20:32.197:2320) : tty pid=15771 uid=root auid=mitr major=136 minor=21 comm=bash data="tail /var/log/aud",<tab>,"au",<tab>,<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,"-5 ",<ret> type=TTY msg=audit(10.2.2009 05:20:13.702:2319) : tty pid=15836 uid=root auid=mitr major=136 minor=21 comm=vim data=,<esc>,"[>0;136;0c:q!",<ret> type=USER_TTY msg=audit(10.2.2009 05:20:32.197:2321) : user pid=15771 uid=root auid=mitr subj=user_u:system_r:unconfined_t:s0 msg="tail -5 /var/log/audit/audit.log" For now, you can use the e.g. attached Python script to decode the "msg=" and "data=" fields.
In reply to comment #5, just run aureport --tty.
Created attachment 331472 [details] Audit output I work with Rob and I took the code previously posted and just kind of added a bit to it. What I am doing is just taking in the output from 'tail -f /var/log/audit/audit.log' and piping it to my script. Right now it just spits out to the terminal but I make a comment where to make the change to write to the file. Just figured I would post in case anyone would be able to use the code.
(In reply to comment #8) > In reply to comment #5, just run aureport --tty. This machine is a fully patched RHEL 5 update3 box, however aureport --tty isn't a valid option. Running it generates an error and usage statement. see paste below: [root@ibmlt ~]# aureport --tty --tty is an unsupported option usage: aureport [options] This is followed by the various options, but --tty is not listed, nor is anything which could be similar. Ideas?
ok, I see. There was talk above about Fedora and I thought this was a Fedora bug. Since its RHEL, you are right, you cannot run that command yet. Its scheduled for the 5.4 update. Looking back over this bug, I am trying to figure out the next steps. It looks like people didn't know that auditing was enabled via pam. That was configured and now you have auditing of bash prompt. The next problem is that displaying the results is problematic. That would not be a bash bug. Is this bug closable or should it be redirected to the audit package or another bug opened?
I'm fine with it being reassigned to the audit package. As a side note, do people want details for each and every keypress, or just a record of what command was actually run? In my situation and looking at the output above, I don't care if people used tab complete to find a file to edit with vim, I just care that they ran vim against the file.
Yes, people do want all keys pressed. Sometimes you run a ncurses app that does things as admin and the security officer may want to know exactly what they did. OK, I can transfer this to the audit package, but what should the title be?
audit-1.7.13-1 was built to solve this problem in RHEL5.4
Excellent. This is the one currently listed at people.redhat.com I assume? I'll give it a build tomorrow morning and test it out.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1303.html