Re: Aw: Re: How to configure auditd to register like internal bash commands?
On 2/8/2022 5:12 PM, André Letterer wrote: Yes, history is a bash internal command and that's why I opened initally this thread because I wanted to know if there is any chance to track internal bash commands like history as well via auditd. For now it seems pam_tty_audit doesn't do the job. Audit tracks security relevant events. Invoking a built-in command such as history, export or set does not involve any security relevant events. Invoking a built-in simply sends the existing shell process down a specified code path. There's no audit record because there's nothing happening to audit. *Gesendet:* Mittwoch, 09. Februar 2022 um 02:09 Uhr *Von:* "Casey Schaufler" *An:* "André Letterer" , "Richard Guy Briggs" *Cc:* Linux-audit@redhat.com *Betreff:* Re: How to configure auditd to register like internal bash commands? On 2/8/2022 4:24 PM, André Letterer wrote: > Yeah, it's a very good start. > However it seems it still doesn't do what I want. > It seems only changing the 2 files doesn't do the job: > nano /etc/pam.d/system-auth > session required pam_tty_audit.so disable=* enable=logs log_passwd > nano /etc/pam.d/password-auth > session required pam_tty_audit.so disable=* enable=logs log_passwd > I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. > However unfortunately commands like "history -c" don't still trigger an entry... There are a significant number of commands that are shell built-ins, including "history". > Is there still a follow-up idea on this? > *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr > *Von:* "Richard Guy Briggs" > *An:* "André Letterer" > *Cc:* Linux-audit@redhat.com > *Betreff:* Re: How to configure auditd to register like internal bash commands? > On 2022-02-07 23:37, André Letterer wrote: > > Hi folks, > > > > I would like to have some help on configuring auditd for very short > > running commands like > > unset ... > > set ... > > export ... > > history -c > > > > or similar commands. > > How would that be possible? > > Would you mind please to help me on some knowledge about that? > > You may want to look into pam_tty_audit, but it may flood your logs. > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Aw: Re: How to configure auditd to register like internal bash commands?
Yes, history is a bash internal command and that's why I opened initally this thread because I wanted to know if there is any chance to track internal bash commands like history as well via auditd. For now it seems pam_tty_audit doesn't do the job. Gesendet: Mittwoch, 09. Februar 2022 um 02:09 Uhr Von: "Casey Schaufler" An: "André Letterer" , "Richard Guy Briggs" Cc: Linux-audit@redhat.com Betreff: Re: How to configure auditd to register like internal bash commands? On 2/8/2022 4:24 PM, André Letterer wrote: > Yeah, it's a very good start. > However it seems it still doesn't do what I want. > It seems only changing the 2 files doesn't do the job: > nano /etc/pam.d/system-auth > session required pam_tty_audit.so disable=* enable=logs log_passwd > nano /etc/pam.d/password-auth > session required pam_tty_audit.so disable=* enable=logs log_passwd > I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. > However unfortunately commands like "history -c" don't still trigger an entry... There are a significant number of commands that are shell built-ins, including "history". > Is there still a follow-up idea on this? > *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr > *Von:* "Richard Guy Briggs" > *An:* "André Letterer" > *Cc:* Linux-audit@redhat.com > *Betreff:* Re: How to configure auditd to register like internal bash commands? > On 2022-02-07 23:37, André Letterer wrote: > > Hi folks, > > > > I would like to have some help on configuring auditd for very short > > running commands like > > unset ... > > set ... > > export ... > > history -c > > > > or similar commands. > > How would that be possible? > > Would you mind please to help me on some knowledge about that? > > You may want to look into pam_tty_audit, but it may flood your logs. > > - RGB > > -- > Richard Guy Briggs > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: How to configure auditd to register like internal bash commands?
On 2/8/2022 4:24 PM, André Letterer wrote: Yeah, it's a very good start. However it seems it still doesn't do what I want. It seems only changing the 2 files doesn't do the job: nano /etc/pam.d/system-auth session required pam_tty_audit.so disable=* enable=logs log_passwd nano /etc/pam.d/password-auth session required pam_tty_audit.so disable=* enable=logs log_passwd I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. However unfortunately commands like "history -c" don't still trigger an entry... There are a significant number of commands that are shell built-ins, including "history". Is there still a follow-up idea on this? *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr *Von:* "Richard Guy Briggs" *An:* "André Letterer" *Cc:* Linux-audit@redhat.com *Betreff:* Re: How to configure auditd to register like internal bash commands? On 2022-02-07 23:37, André Letterer wrote: > Hi folks, > > I would like to have some help on configuring auditd for very short > running commands like > unset ... > set ... > export ... > history -c > > or similar commands. > How would that be possible? > Would you mind please to help me on some knowledge about that? You may want to look into pam_tty_audit, but it may flood your logs. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: How to configure auditd to register like internal bash commands?
On Wed, 2022-02-09 at 01:24 +0100, André Letterer wrote: > Yeah, it's a very good start. > However it seems it still doesn't do what I want. > > It seems only changing the 2 files doesn't do the job: > > nano /etc/pam.d/system-auth > session required pam_tty_audit.so disable=* > enable=logs log_passwd > nano /etc/pam.d/password-auth > session required pam_tty_audit.so disable=* > enable=logs log_passwd > > I get much more entries in /var/log/audit/audit.log for user logs > like for instance if I su to this one. > > However unfortunately commands like "history -c" don't still trigger > an entry... > > Is there still a follow-up idea on this? $ man pam_tty_audit hint consider removing disable=* and modifying enable=logs to something else, unless of course the only account you want to tty audit is an account named "logs". Mark -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: How to configure auditd to register like internal bash commands?
Yeah, it's a very good start. However it seems it still doesn't do what I want. It seems only changing the 2 files doesn't do the job: nano /etc/pam.d/system-auth session required pam_tty_audit.so disable=* enable=logs log_passwd nano /etc/pam.d/password-auth session required pam_tty_audit.so disable=* enable=logs log_passwd I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. However unfortunately commands like "history -c" don't still trigger an entry... Is there still a follow-up idea on this? Gesendet: Mittwoch, 09. Februar 2022 um 00:20 Uhr Von: "Richard Guy Briggs" An: "André Letterer" Cc: Linux-audit@redhat.com Betreff: Re: How to configure auditd to register like internal bash commands? On 2022-02-07 23:37, André Letterer wrote: > Hi folks, > > I would like to have some help on configuring auditd for very short > running commands like > unset ... > set ... > export ... > history -c > > or similar commands. > How would that be possible? > Would you mind please to help me on some knowledge about that? You may want to look into pam_tty_audit, but it may flood your logs. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: How to configure auditd to register like internal bash commands?
On 2022-02-07 23:37, André Letterer wrote: >Hi folks, > >I would like to have some help on configuring auditd for very short >running commands like >unset ... >set ... >export ... >history -c > >or similar commands. >How would that be possible? >Would you mind please to help me on some knowledge about that? You may want to look into pam_tty_audit, but it may flood your logs. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE][CFP] Linux Security Summit North America 2022
== ANNOUNCEMENT AND CALL FOR PARTICIPATION LINUX SECURITY SUMMIT NORTH AMERICA 2022 23-24 June Austin, Texas & Virtual == DESCRIPTION Linux Security Summit North America (LSS-NA) is a technical forum for collaboration between Linux developers, researchers, and end-users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges. The program committee currently seeks proposals for: * Refereed Presentations: 45 minutes in length. * Panel Discussion Topics: 45 minutes in length. * Short Topics: 30 minutes in total, including at least 10 minutes discussion. * Tutorials 90 minutes in length. Tutorial sessions should be focused on advanced Linux security defense topics within areas such as the kernel, compiler, and security-related libraries. Priority will be given to tutorials created for this conference, and those where the presenter a leading subject matter expert on the topic. Topic areas include, but are not limited to: * Kernel self-protection * Access control * Cryptography and key management * Integrity policy and enforcement * Hardware Security * IoT and embedded security * Virtualization and containers * System-specific system hardening * Case studies * Security tools * Security UX * Emerging technologies, threats & techniques Proposals should be submitted via: https://events.linuxfoundation.org/linux-security-summit-north-america/ Note that for 2022, we are returning to having both North American and European events (LSS-EU will be held in September). LSS-NA DATES * CFP close:March 30 * CFP notifications:April 15 * Schedule announced: April 19 * Event:September 23-24 WHO SHOULD ATTEND We're seeking a diverse range of attendees and welcome participation by people involved in Linux security development, operations, and research. LSS is a unique global event that provides the opportunity to present and discuss your work or research with key Linux security community members and maintainers. It's also useful for those who wish to keep up with the latest in Linux security development and to provide input to the development process. WEB SITE https://events.linuxfoundation.org/linux-security-summit-north-america/ TWITTER For event updates and announcements, follow: https://twitter.com/LinuxSecSummit #linuxsecuritysummit PROGRAM COMMITTEE The program committee for LSS 2021 is: * James Morris, Microsoft * Serge Hallyn, Cisco * Paul Moore, Microsoft * Stephen Smalley, NSA * Elena Reshetova, Intel * John Johansen, Canonical * Kees Cook, Google * Casey Schaufler, Intel * Mimi Zohar, IBM * David A. Wheeler, Linux Foundation The program committee may be contacted as a group via email: lss-pc () lists.linuxfoundation.org -- -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
How to configure auditd to register like internal bash commands?
Hi folks, I would like to have some help on configuring auditd for very short running commands like unset ... set ... export ... history -c or similar commands. How would that be possible? Would you mind please to help me on some knowledge about that? -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit