pam_tty audit logs gives too much of not required information

Question

We are using pam_tty to record all the commands that user types. We are interested in monitoring the user commands.

In the audit.log, when we grep for USER_TTY, there is too much of logging that comes.

Here is the attached log screenshoot :-

In the data= section, there should ideally be the command names, but most of the logs are full of some number like 6364202F....

The aureport --tty seems to be giving proper results with commands, but as we are sending the audit.log file to centralized log server, it becomes difficult to search for only commands entered by a specific user.

The data is in hex. Just decode it. – Michael Hampton Feb 08 '16 at 15:12 — Michael Hampton, Feb 08 '16 at 15:12

score 1 · Answer 1 · edited Sep 23 '19 at 11:08

1

I would run ausearch -i and then send the output of that back to your centralized log server. It not only decodes the HEX strings (there because there are spaces in the command typed by the user), but it will also interpret the auid (and others) into the appropiate LNAME it belongs to.

You could make use of ausearch's checkpoint ability to only send 'new' events to your store.

edited Sep 23 '19 at 11:08

U880D

1,017
2
12
18

answered Mar 04 '16 at 04:16

BurnA

421
3
6

pam_tty audit logs gives too much of not required information

1 Answers1