Solved: SSH audit trail

Simon · ‎11-07-2011

Dear splunkers 🙂

I'm aware this is less a Splunk question rather than a linux question, but did anybody of you implement kind of a SSH audit trail? I'm searching for a solution to get a command history of SSH (or even tty) logged-in users. I've found some shell wrappers like sudosh, rootsh, snoopy and so on but all of them have some disadvantages like only binary log format or it was not enough configurable (I don't want the commands output but its arguments).

Thanks everyone for helping.
Simon

Wilcooley · ‎11-08-2011

@simon Funny you should ask... I've been looking into this stuff myself recently

For starters, set LogLevel in sshd_config to VERBOSE instead of INFO (usually the default). This will log the SSH key fingerprint the public key authentication is used, which can be very helpful if you have multiple people logging in to a shared account. (You'll have to use a Splunk transaction to associate the key with the user.)

Secondly, you can use the Linux audit subsystem to actually audit the commands that are run by auditing the execve system call. On RHEL and Ubuntu, there is an audit[d] package; you probably want to use the system-config-audit to set up the auditing rules.

In your SSH PAM config, add the pam_loginuid session module if it's not already there (RH has it by default); this sets the auid attribute in the process to the UID of the user logging in, so even if you run sudo the original login UID is retained.

From there, you can use the ausearch command to search in the binary log or enable syslog in /etc/audisp/plugins.d/syslog.conf, which you can then index with Splunk.

View solution in original post

Simon · ‎01-15-2012

Another solution for anyone who's interested:
Starting from version 4.1.x, Bash starts supporting writing the bash history to syslog natively.
Most recent Linux distribution releases, e.g. CentOS 6.x, include a bash version above 4.1. For older OS levels, I had to build an own bash 4.1 RPM, but this worked perfectly fine.

gabyf2000 · ‎11-24-2011

Check out ObserveIT SSH Audit, they have the best ssh recording solution, it records at the TTY level as well at the process level, therefore it will capture commands within scripts...
Here is a short video that shows how it works
http://www.youtube.com/watch?v=G2M94IvTbe0&feature=player_embedded

They also have a connector for splunk 🙂

Wilcooley · ‎11-08-2011

@simon Funny you should ask... I've been looking into this stuff myself recently

For starters, set LogLevel in sshd_config to VERBOSE instead of INFO (usually the default). This will log the SSH key fingerprint the public key authentication is used, which can be very helpful if you have multiple people logging in to a shared account. (You'll have to use a Splunk transaction to associate the key with the user.)

Secondly, you can use the Linux audit subsystem to actually audit the commands that are run by auditing the execve system call. On RHEL and Ubuntu, there is an audit[d] package; you probably want to use the system-config-audit to set up the auditing rules.

In your SSH PAM config, add the pam_loginuid session module if it's not already there (RH has it by default); this sets the auid attribute in the process to the UID of the user logging in, so even if you run sudo the original login UID is retained.

From there, you can use the ausearch command to search in the binary log or enable syslog in /etc/audisp/plugins.d/syslog.conf, which you can then index with Splunk.

Simon · ‎11-08-2011

This is great, thank you!
Can you post some examples of your rules?
Did you manage to get all command arguments logged by auditd?

SSH audit trail

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!