I was given a mandate to log “what the users are doing” on the Minerva cluster system at Mount Sinai. Actually, the original mandate was more prescriptive: implement an auditing ssh daemon on the login nodes.
So that’s what I started doing… or, trying to do. I grabbed the source for auditing ssh, which was, unfortunately, a big custom-patched tarball of openssh, hpn-ssh, and the auditing patches. There was a Red Hat specfile included, so I went to work building a set of packages from these sources.
Unfortunately, my packages, when installed, didn’t function. I say unfortunately, but it might have turned out to be a blessing in disguise. As I researched why my new auditing sshd wasn’t allowing any users to log in (explicitly, with a denied action) I kept coming up against a more general-purpose Linux audit system, built into the kernel.
I had seen bits of this system in use before. I had seen
pam_loginuid in default pam
stacks before, and anyone who has come up against
/var/log/audit/audit.log; but I didn’t appreciate just how
flexible the linux audit subsystem is, right down to, if we really
want, the ability to log every tty keystroke. (That said, I think we
really only need to log execs; but we’ll see.)
The linux audit system is a kernel subsystem paired with a userspace
daemon that, based on a set of rules stored at
/etc/audit/audit.rules, maintains an audit log of events that take
place in the kernel, either by instrumenting specific syscalls (e.g.,
execve) or by watching for access to specific inodes (e.g.,
to track changes to sensitive files.)
In particular, the Linux audit subsystem can be used in the
implementation of a
Controlled Access Protection Profile
as defined by the NSA. Red Hat ships a ruleset,
the audit daemon to implement such a policy.
- Track user access from login to logout as a single user.
- Log all user actions.
$ grep pam_loginuid /etc/pam.d/* /etc/pam.d/crond:session required pam_loginuid.so /etc/pam.d/login:session required pam_loginuid.so /etc/pam.d/remote:session required pam_loginuid.so /etc/pam.d/sshd:session required pam_loginuid.so /etc/pam.d/ssh-keycat:session required pam_loginuid.so
-a exit,always -F arch=b32 -S execve -a exit,always -F arch=b64 -S execve
$ sudo ausearch -r | audit-commands