Tracking user actions with the Linux Audit Subsystem

I was given a mandate to log “what the users are doing” on the Minerva cluster system at Mount Sinai. Actually, the original mandate was more prescriptive: implement an auditing ssh daemon on the login nodes.

So that’s what I started doing… or, trying to do. I grabbed the source for auditing ssh, which was, unfortunately, a big custom-patched tarball of openssh, hpn-ssh, and the auditing patches. There was a Red Hat specfile included, so I went to work building a set of packages from these sources.

Unfortunately, my packages, when installed, didn’t function. I say unfortunately, but it might have turned out to be a blessing in disguise. As I researched why my new auditing sshd wasn’t allowing any users to log in (explicitly, with a denied action) I kept coming up against a more general-purpose Linux audit system, built into the kernel.

I had seen bits of this system in use before. I had seen pam_loginuid in default pam stacks before, and anyone who has come up against selinux knows about /var/log/audit/audit.log; but I didn’t appreciate just how flexible the linux audit subsystem is, right down to, if we really want, the ability to log every tty keystroke. (That said, I think we really only need to log execs; but we’ll see.)

Introduction

The linux audit system is a kernel subsystem paired with a userspace daemon that, based on a set of rules stored at /etc/audit/audit.rules, maintains an audit log of events that take place in the kernel, either by instrumenting specific syscalls (e.g., open, execve) or by watching for access to specific inodes (e.g., to track changes to sensitive files.)

In particular, the Linux audit subsystem can be used in the implementation of a Controlled Access Protection Profile as defined by the NSA. Red Hat ships a ruleset, capp.rules, with the audit daemon to implement such a policy.

Goals

  • Track user access from login to logout as a single user.
  • Log all user actions.

User tracking

$ grep pam_loginuid /etc/pam.d/*
/etc/pam.d/crond:session    required   pam_loginuid.so
/etc/pam.d/login:session    required     pam_loginuid.so
/etc/pam.d/remote:session    required     pam_loginuid.so
/etc/pam.d/sshd:session    required     pam_loginuid.so
/etc/pam.d/ssh-keycat:session    required     pam_loginuid.so

Audit rules

-a exit,always -F arch=b32 -S execve
-a exit,always -F arch=b64 -S execve

Reporting script

$ sudo ausearch -r | audit-commands

audit-commands.py

https://www.centos.org/docs/5/html/5.1/Deployment_Guide/rhlcommon-section-0081.html