pam_tty 模块与 auditd 守护程序一起使用,因此我们需要确保在配置之前启动并启用了 auditd 守护程序pam_tty_audit。请参考以下步骤进行配置。
修改
/etc/pam.d/system-auth和/etc/pam.d/password-auth文件,然后添加用户列表以启用或禁用终端审计。# Audit all users and disable auditing for user1,user2 session required pam_tty_audit.so disable=user1,user2 enable=* # Audit user1,user2,user3 and disable tty auditing for all other users. session required pam_tty_audit.so disable=* enable=user1,user2,user3 # Audit all users session required pam_tty_audit.so enable=*
默认情况下,当 TTY 处于密码输入模式时,pam_tty_audit 不会记录击键。可以通过使用以下格式添加 log_passwd 选项以及其他选项来重新启用日志记录。
session required pam_tty_audit.so disable=user1,user2 enable=* log_passwd
终端审计的示例 PAM 配置
文件中的配置
/etc/pam.d/system-auth。
# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_tty_audit.so enable=* disable=user1 ### <<<<<<<<<<<<<<<<<<<<<<<<<<< -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
文件中的配置
/etc/pam.d/password-auth。
# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_tty_audit.so enable=* disable=user1 ### <<<<<<<<<<<<<<<<<<<<<<<<<<< -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
验证 PAM tty 审计配置
# aureport --tty TTY Report =============================================== # date time event auid term sess comm data =============================================== 1. 09/13/2019 22:30:36 133 0 ? 1 bash "> /va",<tab>,"log",<tab>,"aud",<tab>,<backspace>,<tab>,<tab>,<ret> 2. 09/13/2019 22:30:36 134 0 ? 1 ? "> /var/log/audit/audit.log " 3. 09/13/2019 22:30:38 135 0 ? 1 bash <^L>,<up>,<up>,<ret> 4. 09/13/2019 22:30:38 136 0 ? 1 ? "aureport --tty" 5. 09/13/2019 22:31:28 137 0 ? 1 bash "df -h",<ret> 6. 09/13/2019 22:31:28 138 0 ? 1 ? "df -h" 7. 09/13/2019 22:34:51 236 1001 ? 4 bash <^L>,"df -h",<ret>,"ls /tmp",<ret>,"ls /root",<ret>,"ls /etc",<ret>,<^L>,"df -h",
在上面的结果中,为root帐户生成了 1 - 6 个报告,第 7 个报告是为1001 (user2) 帐户生成的。通常,root 帐户的每个 bash 击键都记录在单独的行中,但是当用户注销时,常规用户的完整命令历史记录会保存在一行中。我们可以看到 root 账户执行了df -h, > /var/log/audit/audit.log命令,普通用户 1001 执行了bash ,df -h, ls /tmp, df -h 等命令。
要搜索时间戳等于或晚于特定时间的 TTY 输入日志,请使用-ts指定开始日期/时间并使用-te设置结束日期/时间。
# aureport --tty -ts 09/14/2019 00:00:00 -te 09/15/2019 23:00:00 # aureport --tty -ts this-week
有关详细信息,请参阅pam_tty_audit手册页
$ man pam_tty_audit
网友留言: