How to Configure PAM to Audit Logging Shell User Activity?

Introduction

In today's digital age, security is of utmost importance. The rise of cyber threats and data breaches has shown that no system is completely safe. System administrators and IT professionals must take proactive measures to protect their systems and data.

One such measure is the use of Pluggable Authentication Modules (PAM) for user authentication. PAM is a powerful tool that allows system administrators to customize the authentication process for their systems.

It enables the use of multiple authentication methods, such as passwords, tokens, and biometrics, among others. This flexibility makes it easier for administrators to manage access controls and ensure that only authorized users can access sensitive data.

Understanding PAM and Auditd

Explanation of PAM (Pluggable Authentication Modules)

PAM, or Pluggable Authentication Modules, is a security feature in most Linux systems that allows administrators to configure how users authenticate. With PAM, admins can set authentication rules for specific applications, services or system components. This adds an extra layer of security to the system by letting admins control how users log in and access resources.

Overview of Auditd (Audit daemon)

Auditd is the audit daemon which runs on Linux systems to monitor various events happening on the system. It logs a range of events including kernel events, application logs and system calls. The audit daemon provides detailed information about user activity on the system, including who performed what actions and when they did it.

How PAM and Auditd work together for user activity logging

PAM and Auditd work together to provide a comprehensive solution for user activity logging. When a user logs in using PAM, it generates an authentication event that is logged by Auditd. This event contains information about who logged in, what they did while logged in and when they logged out.

By combining these two tools, administrators can track all user activity on the system and be alerted to any suspicious behavior. Overall understanding these two tools helps understand how security auditing is done on Linux systems at large organizations with multiple users having access to sensitive data.

Configuring PAM for User Activity Logging

Installing the necessary packages

Before configuring PAM for user activity logging, it is necessary to install the required packages. The two essential packages are 'audit' and 'audit-libs'. These can be installed using the package manager of your Linux distribution.

For example, in CentOS, you can install these packages using the command `sudo yum install -y audit audit-libs`. Make sure that both of these packages are installed before proceeding with the next steps.

Editing the /etc/pam.d/system-auth file

The configuration for PAM is found in `/etc/pam.d/` directory on most Linux distributions. The file we need to edit is 'system-auth'. This file contains the authentication rules that are applied to system-wide services such as login and sudo.

To add user activity logging, we need to add a rule for it. Open `/etc/pam.d/system-auth` using your preferred text editor.

Locate the line that starts with `auth`, and add `required pam_tty_audit.so enable=always` at the end of this line. This will ensure that every successful authentication will be logged by auditd.

Adding audit rules to the file

We also need to modify some settings in Auditd configuration files so that it logs all user activities appropriately. Open `/etc/audit/audit.rules` with a text editor and add these lines at the end −

## Log all commands run by users. -a always,exit -F arch=b64 -S execve -F uid=0 -F auid!=0 -k root_activity 
-a always,exit -F arch=b32 -S execve -F uid=0 -F auid!=0 -k root_activity 
## Log user login/logout activity. 
-w /var/run/faillock/ -p wa -k logins -w /var/log/tallylog -p wa -k logins  

These rules will log all commands run by users and user login/logout activity. After these modifications, save the file and exit the text editor.

Now restarting auditd service is necessary for these settings to take effect. You can do this using the command `sudo systemctl restart auditd.service`.

Now we have successfully configured PAM for user activity logging. In the next section, we will configure Auditd for user activity logging.

Configuring Auditd for User Activity Logging

Installing the necessary packages

Before configuring Auditd, first, we need to install the necessary packages. The installation of these packages varies depending on your distribution.

In CentOS and RHEL, use the following command −

sudo yum install audit   

In Ubuntu/Debian systems, you can use the following command −

sudo apt-get install auditd   

Editing the /etc/audit/audit.rules file

After installing the audit package, we need to configure its rules file. By default, it logs only a few events like system start-up and shutdown activities. You can add more rules by editing the /etc/audit/audit.rules file to include custom rules for logging user activities.

To edit this file, run −

sudo nano /etc/audit/audit.rules    

Adding rules to log user activity

There are various options available in Auditd for logging user activities such as users logging in or out of a system, executing commands with sudo privileges and more. We can add these rules by adding specific lines in our audit.rules file.

For example, if we want to log all commands executed using sudo access rights we will add a rule as follows −

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-commands    

The above line will generate logs for every time someone executes "sudo" command with privileges. Similarly, you can add different rules as per your requirement such as monitoring changes made to critical files or directories or monitoring failed login attempts.

, Configuring Auditd is just one part of configuring PAM for auditing shell user activity; however it's an essential part of the process.

By following the steps outlined above, you can ensure that you have set up your system to log all necessary user activities. Thus, keep in mind that carefully configuring PAM and Auditd is crucial for monitoring user activity and maintaining a secure system.

Testing User Activity Logging

Once PAM and Auditd have been properly configured to log user activity, it is important to test the logging to ensure that it is functioning correctly. This section will cover the step-by-step process of creating test users and activities and checking logs to ensure successful logging.

Creating Test Users and Activities

The first step in testing user activity logging is to create test users and perform various activities on the system as these users. This process will allow you to see how PAM and Auditd log various actions performed by different users on the system.

To create a test user, use the 'useradd' command followed by a username of your choice. For example −

$ sudo useradd -m testuser1   

After creating a test user, switch to that user account using 'su' or 'sudo', then perform various activities such as opening files, running commands, or modifying system settings.

Checking Logs to Ensure Successful Logging

After performing various activities as different users on the system, it's time to check whether PAM and Auditd logged these actions correctly. Use the following command −

$ sudo ausearch -ua <username>  

This command will display all audit records associated with a specific username. In addition, you can also view logs using 'journalctl' or a text editor such as 'nano'. Reviewing logs in this way can help identify any errors or gaps in logging.

Conclusion

Properly configuring PAM for user activity logging is crucial for maintaining high-security standards. As we discussed, PAM provides an excellent way to secure our system, and when combined with Auditd, it can record every activity of a shell user.

In this article, we have learned how to configure PAM for user activity logging and how to configure Auditd for the same purpose. We also looked at how we can test if our settings are working correctly.