All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

USER_TTY - should it display NON root data ?

alexgwilkinson
Explorer
‎05-26-2018 06:39 AM

Hi there,

I have the Linux Auditd add working perfectly! IMO one of the best Splunk I have ever used.

Quick question: I can see all keystroke data executed by root by not by any other users. Is this expected behaviour? Or should I see keystrokes data for ALL users in the USER_TTY panel ?

Thanks

-Alex

0 Karma
Reply

doksu
Contributor
‎05-27-2018 05:26 PM

Thanks for the feedback @alexgwilkinson 🙂

I think the issue might be that PAM is configured on the host/s to only log for the root user. To check, run the following search then look at the auid field: [|inputlookup auditd_indicies] [|inputlookup auditd_sourcetypes] type="USER_TTY"

If there are only events for auid=0, then it supports the theory of a problem with the PAM config, specifically the "enable" parameter to pam_tty_audit.so. Please see an example here of how to configure it to log for all users: https://github.com/doksu/splunk_auditd/wiki/About-Auditd#enable-tty-logging

0 Karma
Reply

doksu
Contributor
‎05-28-2018 05:52 PM

The search in the User TTY dashboard uses user=* by default in the search arguments. That user field is automatically populated by the posix_identities lookup (via props.conf) by translating the auid field value to user, so if that lookup can't translate an auid to a user it may result it events not showing up in the dashboard. For this reason I suspect that the identities may not be populated correctly. I suggest checking your identities are being populated correctly by looking at each of the panes in the Help Dashboard.

0 Karma
Reply

alexgwilkinson
Explorer
‎05-27-2018 07:28 PM

Running the following I most definitely get user tty output:

#sudo aureport --tty -ts today

...

336. 28/05/18 12:22:23 2490591 571 ? 43278 zsh <^L>,"cd /op",<tab>,"spl",<tab>,"bin",<tab>,<^U>,"cd",<backspace>,<backspace>,<backspace>,"cd doc",<tab>,"pro",<tab>,<nl>,"ls -l",<nl>,"cd spl",<tab>,"app",<tab>,<nl>,"cd Li",<tab>,<nl>,"ls ",<^U>,"less Li",<tab>,<^L>,<nl>,<^D>

...
0 Karma
Reply

alexgwilkinson
Explorer
‎05-27-2018 07:16 PM

Hi,

Running the aforementioned search returns the auid populated e.g.

type=USER_TTY msg=audit(1527122575.703:2401630): pid=104782 uid=0 auid=571 ses=40954 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data="ls"

I have followed your documentation with a fine tooth comb. This is what I have for PAM (on RHEL 7.5):

/etc/pam.d/password-auth

session     required      pam_tty_audit.so enable=*

/etc/pam.d/system-auth

session     required      pam_tty_audit.so enable=*

Interestingly the following command yields zero results:

#sudo grep USER_TTY /var/log/audit/audit.log
#

Can you point me in a direction as to how to make this work ?

I presume from your response the expected behavior of the USER_TTY panel is to present non uid 0 keystroke data ?

Thanks!

-Alex

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...