How to Configure PAM to Audit Logging Shell User Activity?

In today's digital age, security is of utmost importance. The rise of cyber threats and data breaches has shown that no system is completely safe. System administrators and IT professionals must take proactive measures to protect their systems and data.

One such measure is the use of Pluggable Authentication Modules (PAM) for user authentication. PAM is a powerful tool that allows system administrators to customize the authentication process for their systems. It enables the use of multiple authentication methods, such as passwords, tokens, and biometrics, among others. This flexibility makes it easier for administrators to manage access controls and ensure that only authorized users can access sensitive data.

Understanding PAM and Auditd

PAM (Pluggable Authentication Modules)

PAM, or Pluggable Authentication Modules, is a security feature in most Linux systems that allows administrators to configure how users authenticate. With PAM, admins can set authentication rules for specific applications, services or system components. This adds an extra layer of security to the system by letting admins control how users log in and access resources.

Auditd (Audit Daemon)

Auditd is the audit daemon which runs on Linux systems to monitor various events happening on the system. It logs a range of events including kernel events, application logs and system calls. The audit daemon provides detailed information about user activity on the system, including who performed what actions and when they did it.

How PAM and Auditd Work Together

PAM and Auditd work together to provide a comprehensive solution for user activity logging. When a user logs in using PAM, it generates an authentication event that is logged by Auditd. This event contains information about who logged in, what they did while logged in and when they logged out.

By combining these two tools, administrators can track all user activity on the system and be alerted to any suspicious behavior. Understanding these two tools helps implement security auditing on Linux systems at large organizations with multiple users having access to sensitive data.

Configuring PAM for User Activity Logging

Installing the Necessary Packages

Before configuring PAM for user activity logging, install the required packages. The two essential packages are audit and audit-libs. These can be installed using the package manager of your Linux distribution.

For CentOS/RHEL systems

sudo yum install -y audit audit-libs

For Ubuntu/Debian systems

sudo apt-get install auditd audispd-plugins

Editing the /etc/pam.d/system-auth File

The configuration for PAM is found in /etc/pam.d/ directory on most Linux distributions. The file we need to edit is system-auth. This file contains the authentication rules that are applied to system-wide services such as login and sudo.

To add user activity logging, open /etc/pam.d/system-auth using your preferred text editor and add the following line in the session section

session required pam_tty_audit.so enable=*

This will ensure that every successful authentication will be logged by auditd for TTY audit logging.

Adding Audit Rules

We also need to modify Auditd configuration files. Open /etc/audit/audit.rules with a text editor and add these lines at the end

## Log all commands run by users
-a always,exit -F arch=b64 -S execve -F uid=0 -F auid!=0 -k root_activity
-a always,exit -F arch=b32 -S execve -F uid=0 -F auid!=0 -k root_activity

## Log user login/logout activity
-w /var/run/faillock/ -p wa -k logins
-w /var/log/tallylog -p wa -k logins

These rules will log all commands run by users and user login/logout activity. After these modifications, save the file and restart the auditd service

sudo systemctl restart auditd.service

Configuring Auditd for User Activity Logging

Editing the /etc/audit/audit.rules File

After installing the audit package, we need to configure its rules file. By default, it logs only a few events like system start-up and shutdown activities. You can add more rules by editing the /etc/audit/audit.rules file to include custom rules for logging user activities.

sudo nano /etc/audit/audit.rules

Adding Rules to Log User Activity

There are various options available in Auditd for logging user activities such as users logging in or out of a system, executing commands with sudo privileges and more. We can add these rules by adding specific lines in our audit.rules file.

For example, to log all commands executed using sudo access rights

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-commands

To monitor file access in sensitive directories

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k privilege_escalation

The above lines will generate logs for every time someone executes "sudo" command with privileges or modifies critical system files. You can add different rules as per your requirement such as monitoring changes made to critical files or directories or monitoring failed login attempts.

Testing User Activity Logging

Once PAM and Auditd have been properly configured to log user activity, it is important to test the logging to ensure that it is functioning correctly.

Creating Test Users and Activities

The first step in testing user activity logging is to create test users and perform various activities on the system as these users. To create a test user

sudo useradd -m testuser1
sudo passwd testuser1

After creating a test user, switch to that user account using su or sudo, then perform various activities such as opening files, running commands, or modifying system settings.

Checking Logs to Ensure Successful Logging

After performing various activities as different users on the system, check whether PAM and Auditd logged these actions correctly. Use the following commands

# View audit records for a specific user
sudo ausearch -ua testuser1

# View TTY audit logs
sudo aureport --tty

# Search for specific events
sudo ausearch -k privileged-commands

You can also view logs using journalctl or examine the raw audit log at /var/log/audit/audit.log. Reviewing logs in this way can help identify any errors or gaps in logging.

Key Configuration Points

Common Use Cases

• Compliance Requirements Meeting regulatory standards like PCI-DSS, HIPAA, or SOX

• Security Monitoring Tracking privileged user activities and detecting suspicious behavior

• Forensic Analysis Investigating security incidents and unauthorized access attempts

• Change Management Monitoring modifications to critical system files and configurations

Conclusion

Properly configuring PAM with Auditd provides comprehensive user activity logging essential for maintaining system security. The combination of PAM's authentication framework and Auditd's detailed logging capabilities creates a robust auditing solution. Regular testing and monitoring of these logs ensures that your system maintains high security standards and compliance requirements.