All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Support encoded TTY from audit.log in Linux Auditd app

Intermediate
Path Finder
‎01-08-2020 07:06 PM

Hi Doug,

We've recently noticed that despite dutifully collecting TTY keypresses (using pam) that Debian/Ubuntu doesn't product USER_TTY audit events. The OSes seem to only produce TTY events, which are hex encoded.
(We're still trying to find why/how RHEL produces (encoded) TTY and (decoded) USER_TTY events for the same keypress log event.)

Would you be willing to change the way the "User TTY" feature works in your app please? Instead of being strictly "USER_TTY" ideally it would use the "TTY" filter key AND have Splunk decode the hex strings so they remain human-readable in the output of your app?

Thank you muchly!

EDIT: We're just researching the difference between USER_TTY and TTY filter keys in the audit log. It seems I may have misunderstood them and one is for non-root keystrokes, the other for root only. If you have any knowledge of Linux kernel auditing for keypresses, using pam_tty_audit.so please help me understand 🙂 Thanks!

0 Karma
Reply

ivarny
Path Finder
‎07-17-2021 11:50 AM

I tested on Ubuntu today and also found that only type="TTY" was produced.
(I added the "session required pam_tty_audit.so enable=*" to /etc/pam.d/common-session as /etc/pam.d/password-auth-ac did not seem to get picked up. )

I got the "User TTY" dashboard working fine by editing the dash and setting:
type="USER_TTY" OR type="TTY"
I also added the comm field to the table as that provides additional good insight into what's going on.

0 Karma
Reply

xr4nd0mx
Observer
‎03-08-2023 01:01 PM

Are you still doing this or is there a better way? This kind of works, but its a lot less clean than the root logs. For example, the arrow keys log, it adds spaces between letters when a user tabs. I would love to get it to look exactly as the root logs do for non-root users.

0 Karma
Reply

Intermediate
Path Finder
‎01-09-2020 05:23 PM

It seems that the TTY and USER_TTY distinction is a Red-Hat distro thing and that Debian-based distros only use a filter key of TTY.

I think there may be another way of distinguishing between root and non-root keystrokes, but I'm not clear how we could apply this to both Red-Hat and Debian-based systems.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...