- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- USER_TTY - should it display NON root data ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
USER_TTY - should it display NON root data ?
Hi there,
I have the Linux Auditd add working perfectly! IMO one of the best Splunk I have ever used.
Quick question: I can see all keystroke data executed by root by not by any other users. Is this expected behaviour? Or should I see keystrokes data for ALL users in the USER_TTY panel ?
Thanks
-Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the feedback @alexgwilkinson 🙂
I think the issue might be that PAM is configured on the host/s to only log for the root user. To check, run the following search then look at the auid field: [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] type="USER_TTY"
If there are only events for auid=0, then it supports the theory of a problem with the PAM config, specifically the "enable" parameter to pam_tty_audit.so. Please see an example here of how to configure it to log for all users: https://github.com/doksu/splunk_auditd/wiki/About-Auditd#enable-tty-logging
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search in the User TTY dashboard uses user=* by default in the search arguments. That user field is automatically populated by the posix_identities lookup (via props.conf) by translating the auid field value to user, so if that lookup can't translate an auid to a user it may result it events not showing up in the dashboard. For this reason I suspect that the identities may not be populated correctly. I suggest checking your identities are being populated correctly by looking at each of the panes in the Help Dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running the following I most definitely get user tty output:
#sudo aureport --tty -ts today
...
336. 28/05/18 12:22:23 2490591 571 ? 43278 zsh <^L>,"cd /op",<tab>,"spl",<tab>,"bin",<tab>,<^U>,"cd",<backspace>,<backspace>,<backspace>,"cd doc",<tab>,"pro",<tab>,<nl>,"ls -l",<nl>,"cd spl",<tab>,"app",<tab>,<nl>,"cd Li",<tab>,<nl>,"ls ",<^U>,"less Li",<tab>,<^L>,<nl>,<^D>
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Running the aforementioned search returns the auid populated e.g.
type=USER_TTY msg=audit(1527122575.703:2401630): pid=104782 uid=0 auid=571 ses=40954 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data="ls"
I have followed your documentation with a fine tooth comb. This is what I have for PAM (on RHEL 7.5):
/etc/pam.d/password-auth
session required pam_tty_audit.so enable=*
/etc/pam.d/system-auth
session required pam_tty_audit.so enable=*
Interestingly the following command yields zero results:
#sudo grep USER_TTY /var/log/audit/audit.log
#
Can you point me in a direction as to how to make this work ?
I presume from your response the expected behavior of the USER_TTY panel is to present non uid 0 keystroke data ?
Thanks!
-Alex
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
