I would like to audit users shell activity using AuditBeat and the auditd module integration, by looking at TTY logs. I have followed every possible doc and can't get it up and running.
I can see executions, but can't see the actual TTY.
I'm running AuditBeat in Kubernetes, over AWS EKS. Using the official helm chart.
I have minimal configuration file:
image: repository: docker.elastic.co/beats/auditbeat tag: 6.7.0 pullPolicy: IfNotPresent config: auditbeat.modules: - module: auditd rate_limit: 0 backlog_limit: 8196 audit_rules: | -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact -a exit,always -F arch=b64 -F euid>=1 -S execve -k useract -a exit,always -F arch=b32 -F euid>=1 -S execve -k useract processors: - add_cloud_metadata: output.file: path: "/usr/share/auditbeat/data" filename: auditbeat rotate_every_kb: 10000 number_of_files: 5
I have also added
session required pam_tty_audit.so enable=* to both
I'm auditing the outcome by tailing
/usr/share/auditbeat/data/auditbeat, it has the logs for the executions but none for the TTY.
I have also tried running
aureport --tty but it returns
TTY Report =============================================== # date time event auid term sess comm data =============================================== <no events of interest were found>
auditd service has been stopped using
sudo service auditd stop (and anyway we can see other logs by tailing for auditbeat, so its probably not the issue)
Anything i'm missing? What am i doing wrong?
Have already gone through:
- Not getting TTY translations in Auditbeat 6.7
- Dec 2nd, 2019: [EN][Auditbeat] Monitoring Linux Command Execution