capture commands executed remotely using SSH in Auditd

Question

I have configured Auditd in a RHEL6 server and enabled TTY logging using

pam_tty_audit.so enable=*

in /etc/pam.d/system-auth and /etc/pam.d/password-auth

I don't have any other rules configured in audit.rules file as I am interested in only logging commands executed by users and not tracking all process activities

I am able to see the commands executed by users locally in this server. But if users are executing commands remotely from other servers using SSH, like

ssh userid@<rhel server> date

these commands are not logged in audit logs.. Is there any way to log these ?

score 0 · Answer 1 · answered Feb 19 '19 at 06:19

0

You need to edit /etc/pam.d/sshd to audit ssh

look here https://blog.shichao.io/2015/04/22/auditing_user_tty_and_root_commands_with_auditd_on_ubuntu.html

answered Feb 19 '19 at 06:19

JonLord

111
4

2

You should post the instructions here, not just a link. – RalfFriedl Feb 19 '19 at 07:00
1

My first line is the instruction..the link is a reference – JonLord Feb 19 '19 at 07:23

capture commands executed remotely using SSH in Auditd

1 Answers1