- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Support encoded TTY from audit.log in Linux Auditd...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support encoded TTY from audit.log in Linux Auditd app
Hi Doug,
We've recently noticed that despite dutifully collecting TTY keypresses (using pam) that Debian/Ubuntu doesn't product USER_TTY audit events. The OSes seem to only produce TTY events, which are hex encoded.
(We're still trying to find why/how RHEL produces (encoded) TTY and (decoded) USER_TTY events for the same keypress log event.)
Would you be willing to change the way the "User TTY" feature works in your app please? Instead of being strictly "USER_TTY" ideally it would use the "TTY" filter key AND have Splunk decode the hex strings so they remain human-readable in the output of your app?
Thank you muchly!
EDIT: We're just researching the difference between USER_TTY and TTY filter keys in the audit log. It seems I may have misunderstood them and one is for non-root keystrokes, the other for root only. If you have any knowledge of Linux kernel auditing for keypresses, using pam_tty_audit.so please help me understand 🙂 Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested on Ubuntu today and also found that only type="TTY" was produced.
(I added the "session required pam_tty_audit.so enable=*" to /etc/pam.d/common-session as /etc/pam.d/password-auth-ac did not seem to get picked up. )
I got the "User TTY" dashboard working fine by editing the dash and setting:
type="USER_TTY" OR type="TTY"
I also added the comm field to the table as that provides additional good insight into what's going on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you still doing this or is there a better way? This kind of works, but its a lot less clean than the root logs. For example, the arrow keys log, it adds spaces between letters when a user tabs. I would love to get it to look exactly as the root logs do for non-root users.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that the TTY and USER_TTY distinction is a Red-Hat distro thing and that Debian-based distros only use a filter key of TTY.
I think there may be another way of distinguishing between root and non-root keystrokes, but I'm not clear how we could apply this to both Red-Hat and Debian-based systems.
Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
