Monitoring Splunk

SSH audit trail

Simon
Contributor

Dear splunkers 🙂

I'm aware this is less a Splunk question rather than a linux question, but did anybody of you implement kind of a SSH audit trail? I'm searching for a solution to get a command history of SSH (or even tty) logged-in users. I've found some shell wrappers like sudosh, rootsh, snoopy and so on but all of them have some disadvantages like only binary log format or it was not enough configurable (I don't want the commands output but its arguments).

Thanks everyone for helping.
Simon

Tags (1)
1 Solution

Wilcooley
Path Finder

@simon Funny you should ask... I've been looking into this stuff myself recently

For starters, set LogLevel in sshd_config to VERBOSE instead of INFO (usually the default). This will log the SSH key fingerprint the public key authentication is used, which can be very helpful if you have multiple people logging in to a shared account. (You'll have to use a Splunk transaction to associate the key with the user.)

Secondly, you can use the Linux audit subsystem to actually audit the commands that are run by auditing the execve system call. On RHEL and Ubuntu, there is an audit[d] package; you probably want to use the system-config-audit to set up the auditing rules.

In your SSH PAM config, add the pam_loginuid session module if it's not already there (RH has it by default); this sets the auid attribute in the process to the UID of the user logging in, so even if you run sudo the original login UID is retained.

From there, you can use the ausearch command to search in the binary log or enable syslog in /etc/audisp/plugins.d/syslog.conf, which you can then index with Splunk.

View solution in original post

Simon
Contributor

Another solution for anyone who's interested:
Starting from version 4.1.x, Bash starts supporting writing the bash history to syslog natively.
Most recent Linux distribution releases, e.g. CentOS 6.x, include a bash version above 4.1. For older OS levels, I had to build an own bash 4.1 RPM, but this worked perfectly fine.

0 Karma

gabyf2000
Engager

Check out ObserveIT SSH Audit, they have the best ssh recording solution, it records at the TTY level as well at the process level, therefore it will capture commands within scripts...
Here is a short video that shows how it works
http://www.youtube.com/watch?v=G2M94IvTbe0&feature=player_embedded

They also have a connector for splunk 🙂

Wilcooley
Path Finder

@simon Funny you should ask... I've been looking into this stuff myself recently

For starters, set LogLevel in sshd_config to VERBOSE instead of INFO (usually the default). This will log the SSH key fingerprint the public key authentication is used, which can be very helpful if you have multiple people logging in to a shared account. (You'll have to use a Splunk transaction to associate the key with the user.)

Secondly, you can use the Linux audit subsystem to actually audit the commands that are run by auditing the execve system call. On RHEL and Ubuntu, there is an audit[d] package; you probably want to use the system-config-audit to set up the auditing rules.

In your SSH PAM config, add the pam_loginuid session module if it's not already there (RH has it by default); this sets the auid attribute in the process to the UID of the user logging in, so even if you run sudo the original login UID is retained.

From there, you can use the ausearch command to search in the binary log or enable syslog in /etc/audisp/plugins.d/syslog.conf, which you can then index with Splunk.

Simon
Contributor

This is great, thank you!
Can you post some examples of your rules?
Did you manage to get all command arguments logged by auditd?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...