Comments on: How to keep a detailed audit trail of what’s being done on your Linux systems

By: jalal hajigholamali

jalal hajigholamali — Fri, 26 Aug 2011 05:57:07 +0000

Thanks for the useful how to,

By: Peter

Peter — Sat, 04 Jun 2011 04:35:07 +0000

Just knowing the command (by itself) the user ran is useless. You absolutely need it’s arguments, and the parent process’s CWD. Other than that, it’s a “cute” toy, and little else.

By: Chuong

Chuong — Wed, 27 Apr 2011 05:06:34 +0000

rm vivek pts/0 0.00 secs Tue Nov 14 00:30
rm vivek pts/1 0.00 secs Tue Nov 14 00:30
rm vivek pts/1 0.00 secs Tue Nov 14 00:29
rm vivek pts/1 0.00 secs Tue Nov 14 00:29

vivek is remove many files. The command just showing “rm” command, So how could i know what did he remove ??????

Please help

By: Ankit Sharma

Ankit Sharma — Mon, 28 Mar 2011 05:08:54 +0000

I’ve taken a project to work upon tracing of runtime activities on unix system
into a log file. Like, to implement a program which will show the log of everything
happened in past, including many requirements, like applications i used (with the time of access),
kind of files/directories i opened, closed, created, deleted(with the time), etc.
.
Please suggest me something to do it in a better way.

By: Bostjan Skufca

Bostjan Skufca — Thu, 17 Feb 2011 11:23:29 +0000

@praveen c: “pwd” is a shell built-in command and is not executed. However snoopy does exactly what you have described.

By: praveen c

praveen c — Thu, 17 Feb 2011 09:01:46 +0000

Hi,

I gone through the entire comments but nobody clearly spacifying..is there any tool for tracking the user executed commands and path of the file/folder.

Like [root@nisslave pravi]# pwd
/home/pravi
[root@nisslave pravi]# cat test
dfasdf
[root@nisslave pravi]#

By: RogerD

RogerD — Thu, 29 Jul 2010 21:14:00 +0000

I’m running with pam_tty_audit and it appears it only logs root level key events, regardless of the settings in the session entry. It seems to ignore the disable= and enable= settings. The man page has the example of enabling root, but specifying a different user (ex enable=username ) still logs root only.

By: rea

rea — Wed, 07 Apr 2010 09:42:18 +0000

hi, i just installed snoopy on fedora 12. but i dont know how to view log. where snoopy`s log file located? could u explain me pls/ i read instruction file but nothing found something that help me. sry my bad english

By: Vince

Vince — Mon, 22 Mar 2010 23:45:41 +0000

I’m not totally sure yet, but support for process accounting has to be also enabled in the kernel to make all features of acct work.
=> CONFIG_BSD_PROCESS_ACCT

By: Bostjan Skufca

Bostjan Skufca — Thu, 18 Mar 2010 20:57:54 +0000

@jav:

Weird. Can you compile and run this program once as root and once as non-privileged user on your system? Source here:
http://source.a2o.si/tmp/snoopy/test-getuid.c

Compiled for Linux 32bit here:
http://source.a2o.si/tmp/snoopy/test-getuid

Post the results on sourceforge issue tracker please (in order not to bloat this blog post with irrelevant comments)
Tnx!

By: jav

jav — Mon, 15 Mar 2010 14:42:49 +0000

Snoopy compiles and loads, but so far it seems to work only to log root commands, and I modified snoopy.h
#define SNOOPY_ROOT_ONLY 0
with both 0 or 1, makes no difference, keeps logging only root commands.

By: Bostjan Skufca

Bostjan Skufca — Wed, 10 Feb 2010 02:10:12 +0000

Try snoopy logger. I've just updated it and it works ok for me now. https://sourceforge.net/projects/snoopylogger/

By: Deleriux

Deleriux — Wed, 23 Sep 2009 12:15:20 +0000

Oh, and to check audit you need to run something such as
ausearch -ts recent -m tty

By: Deleriux

Deleriux — Wed, 23 Sep 2009 12:14:16 +0000

You should probably remove disable=* as it makes the thing a little ambiguous.

By: Fahim

Fahim — Tue, 22 Sep 2009 23:45:27 +0000

Thanks Deleriux, I tried that but no luck :S. It seems im getting it wrong somewhere:

[fimz@localhost ~]$ sudo vim /etc/pam.d/sshd
[fimz@localhost ~]$ cat /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_tty_audit.so disable=* enable=*
[fimz@localhost ~]$ date
Wed Sep 23 11:29:16 NZST 2009
[fimz@localhost ~]$ sudo su -
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
login as: fimz
fimz@X.Y.2.3′s password:
Last login: Wed Sep 23 11:24:02 2009 from it029481.xyz.org
[fimz@localhost ~]$
[fimz@localhost ~]$ ls
Desktop
[fimz@localhost ~]$ ls -a
. .bashrc .gconfd .gtkrc-1.2-gnome2 .redhat
.. Desktop .gnome .ICEauthority .Trash
.bash_history .dmrc .gnome2 .metacity .viminfo
.bash_logout .eggcups .gnome2_private .mozilla
.bash_profile .gconf .gstreamer-0.10 .nautilus
[fimz@localhost ~]$ ls -l
total 8
drwxr-xr-x 2 fimz fimz 4096 Sep 10 16:02 Desktop
[fimz@localhost ~]$ mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
[fimz@localhost ~]$ date
Wed Sep 23 11:31:05 NZST 2009

[fimz@localhost ~]$ sudo grep mount /var/log/*
/var/log/secure:Sep 23 11:31:56 localhost sudo: fimz : TTY=pts/1 ; PWD=/home/fimz ; USER=root ; COMMAND=/bin/grep mount /var/log/acpid /var/log/anaconda.log /var/log/anaconda.syslog /var/log/anaconda.xlog /var/log/audit /var/log/boot.log /var/log/boot.log.1 /var/log/boot.log.2 /var/log/btmp /var/log/conman /var/log/conman.old /var/log/cron /var/log/cron.1 /var/log/cron.2 /var/log/cups /var/log/dmesg /var/log/faillog /var/log/gdm /var/log/httpd /var/log/lastlog /var/log/mail /var/log/maillog /var/log/maillog.1 /var/log/maillog.2 /var/log/messages /var/log/messages.1 /var/log/messages.2 /var/log/news /var/log/pm /var/log/ppp /var/log/prelink /var/log/rpmpkgs /var/log/rpmpkgs.1 /var/log/rpmpkgs.2 /var/log/samba /var/log/scrollkeeper.log /var/log/secure /var/log/secure.1 /var/log/secure.2 /var/log/setroubleshoot /var/log/spooler /var/log/spooler.1 /var/log/spooler.2 /var/log/squid /var/log/tallylog /var/log/vbox /var/log/wtmp /var/log/Xorg.0.log /var/log/Xorg.0.log.old /var/log/yum.log

I was expecting it to log to messages, but apparently its not!

By: Deleriux

Deleriux — Tue, 22 Sep 2009 22:16:31 +0000

Yeah, pass it something like:
session required pam_tty_audit.so enable=*

To the pam stack.

By: Fahim

Fahim — Tue, 22 Sep 2009 02:36:21 +0000

Hi,
pam_tty_audit is kool, but problem is that it logs only root level stuff. Is there anyway to make it log user level tty input without patching it?

Thanks

By: Deleriux

Deleriux — Sat, 05 Sep 2009 23:35:59 +0000

A more suitable way on modern distros (Centos 5 + ) is to install the pam_tty_audit pam module and place it into a pam stack for say, login or sshd.

This will produce a key by key typing of what was pressed inside the session. (including, up, down backspace, etc)

You can use ausearch to look through it.

I.E “ausearch -ts recent -m tty -i”

By: Fahim

Fahim — Mon, 31 Aug 2009 08:18:06 +0000

Hi,

Im interested to know is there a way to log all keystrokes including typos & complete command parameters with this say $rm -rf /* or custom scripts such as $./foo 10.0.0.1
My requirement is to log *EVERYTHING* the command and its associated flags and parameters.

Thanks

By: Rahul Panwar

Rahul Panwar — Fri, 28 Aug 2009 10:05:45 +0000

I started the “psacct” service, but still “accton” is not showing any output while other commands are working like sa, lastcomm & ac.
Where am i doing wrong?