EPM-L and EPM-UL have extensive ability to log privilege access and sessions. You can use the pbsh and pbksh to log and record unprivileged session, however the problems with that are twofold. Firstly, the pb-shell environments are incompatible with Advanced Control and Audit rules, and secondly, the shell environments are out-of-date compared to modern shell environments. They lack modern features like command argument completion, wildcard completion, directory history stack and others due to their age. Maybe a modern shell environment like bash, zsh or fish will get integrated into the product.
The first issue is easily taken care of by normal DAC file system permissions, they are unprivileged users after all. The second issue is more complex and could be solved by just forcing people to use pbksh, but there is a method of logging which is secure, and respects the users choice of shell. That is by using a combination of PAM (the Linux Pluggable Authentication Modules) and auditd.
Auditd uses kernel-side system call processing, which means that an unprivileged user will not be able to interfere, or modify, the configuration that is set up. These system calls are passed through filters and then logged.
For PAM we're going to use the pam_tty_audit The module I've chosen has two main options disable= and enable= These either enable, or disable tty auditing for users who match a pattern. For example. disable=* enable=mcdavis,hmlee would disable auditing for all users except mcdavis and hmlee.
The other option we're going to use is log_password. By default if a cli tool doesn't echo charactors, like when you change a password, the keys won't get logged. I want to log everything, even if the user can't see it.
As I'm using an EL9 distribution I can't just edit the PAM files directly as they're manage by authselect so the first thing I need to do is create my own authselect profile
authselect create-profile tty-log -b minimal --symlink-meta --symlink-nsswitch
This will create a profile called tty-log that is based on the "minimal" profile. As I don't want to change anything to do with nsswitch or the meta files I've told the command to symlink those from the minimal profile.
I do want to change the system-auth and password-auth files, so authselect has made copies into the tty-log directory.
If I want to log every user I could add at the bottom of the two files.
session required pam_tty_audit.so enable=* log_passwd
Now this is complete I can activate my authselect profile with authselect select custom/tty-log --force
After this it's probably easiest to ensure the configuration is applied with a reboot.
You can review the log using aureport --tty. This with show an output like the one one below:
eroot@rhel9-3-2024-6-20 ~]# aureport --tty
TTY Report ===============================================
# date time event auid term sess comm data
===============================================
... 8. 02/05/25 09:22:06 120 1000 pts1 3 vim <esc>,"p2;2R",<esc>,"t3;1R",<esc>,"t>0;10;1c",<esc>,"t?12;2$yiFire everyone\302\254",<backspace>,"!",<esc>,":@",<backspace>,"wq",<ret>
... 23. 02/05/25 09:27:11 148 1000 pts1 3 bash "BTlab1234!",<ret>,"vim /et",<tab>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"clear",<ret>,"vim my-diary",<ret>,"id",<ret>,"sudo -i",<ret>,"id",<ret>,"ls -l",<ret>,"exit",<ret>This is two lines from the output. It's useful to know this log is buffered. In the line starting 23 you can see halfway along the command `vim my-diary` Whereas, what was typed into the file is actually recorded at line 8. The line 8 was flushed to the log when the file being edited was closed. Line 23 was flushed to the log when the user logged out.
The disadvantages of this method compared to using a pb-shell are:
- There isn’t a nice replay command to step through what the user is doing.
- You’re going to have to have some third-party system to deal with remote logging and aggregation
- It can’t do any enforcement. it will only record what the user has done.
