topic USER_TTY - should it display NON root data ? in All Apps and Add-ons

USER_TTY - should it display NON root data ?

alexgwilkinson — Sat, 26 May 2018 13:39:30 GMT

Hi there,

I have the Linux Auditd add working perfectly! IMO one of the best Splunk I have ever used.

Quick question: I can see all keystroke data executed by root by not by any other users. Is this expected behaviour? Or should I see keystrokes data for ALL users in the USER_TTY panel ?

Thanks

-Alex

Re: USER_TTY - should it display NON root data ?

doksu — Tue, 29 Sep 2020 19:42:21 GMT

Thanks for the feedback @alexgwilkinson 🙂

I think the issue might be that PAM is configured on the host/s to only log for the root user. To check, run the following search then look at the auid field: [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] type="USER_TTY"

If there are only events for auid=0, then it supports the theory of a problem with the PAM config, specifically the "enable" parameter to pam_tty_audit.so. Please see an example here of how to configure it to log for all users: https://github.com/doksu/splunk_auditd/wiki/About-Auditd#enable-tty-logging

Re: USER_TTY - should it display NON root data ?

alexgwilkinson — Mon, 28 May 2018 02:16:49 GMT

Hi,

Running the aforementioned search returns the auid populated e.g.

type=USER_TTY msg=audit(1527122575.703:2401630): pid=104782 uid=0 auid=571 ses=40954 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data="ls"

I have followed your documentation with a fine tooth comb. This is what I have for PAM (on RHEL 7.5):

/etc/pam.d/password-auth

session     required      pam_tty_audit.so enable=*

/etc/pam.d/system-auth

session     required      pam_tty_audit.so enable=*

Interestingly the following command yields zero results:

#sudo grep USER_TTY /var/log/audit/audit.log
#

Can you point me in a direction as to how to make this work ?

I presume from your response the expected behavior of the USER_TTY panel is to present non uid 0 keystroke data ?

Thanks!

-Alex

Re: USER_TTY - should it display NON root data ?

alexgwilkinson — Mon, 28 May 2018 02:28:37 GMT

Running the following I most definitely get user tty output:

#sudo aureport --tty -ts today

...

336. 28/05/18 12:22:23 2490591 571 ? 43278 zsh <^L>,"cd /op",<tab>,"spl",<tab>,"bin",<tab>,<^U>,"cd",<backspace>,<backspace>,<backspace>,"cd doc",<tab>,"pro",<tab>,<nl>,"ls -l",<nl>,"cd spl",<tab>,"app",<tab>,<nl>,"cd Li",<tab>,<nl>,"ls ",<^U>,"less Li",<tab>,<^L>,<nl>,<^D>

...

Re: USER_TTY - should it display NON root data ?

doksu — Tue, 29 May 2018 00:52:34 GMT

The search in the User TTY dashboard uses user=* by default in the search arguments. That user field is automatically populated by the posix_identities lookup (via props.conf) by translating the auid field value to user, so if that lookup can't translate an auid to a user it may result it events not showing up in the dashboard. For this reason I suspect that the identities may not be populated correctly. I suggest checking your identities are being populated correctly by looking at each of the panes in the Help Dashboard.