I would like to audit users shell activity using AuditBeat and the auditd module integration, by looking at TTY logs. I have followed every possible doc and can't get it up and running.
I can see executions, but can't see the actual TTY.
I'm running AuditBeat in Kubernetes, over AWS EKS. Using the official helm chart.
I have minimal configuration file:
image:
repository: docker.elastic.co/beats/auditbeat
tag: 6.7.0
pullPolicy: IfNotPresent
config:
auditbeat.modules:
- module: auditd
rate_limit: 0
backlog_limit: 8196
audit_rules: |
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b64 -F euid>=1 -S execve -k useract
-a exit,always -F arch=b32 -F euid>=1 -S execve -k useract
processors:
- add_cloud_metadata:
output.file:
path: "/usr/share/auditbeat/data"
filename: auditbeat
rotate_every_kb: 10000
number_of_files: 5
I have also added session required pam_tty_audit.so enable=* to both /etc/pam.d/password-auth and /etc/pam.d/system-auth
I'm auditing the outcome by tailing /usr/share/auditbeat/data/auditbeat, it has the logs for the executions but none for the TTY.
I have also tried running aureport --tty but it returns
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>
auditd service has been stopped using sudo service auditd stop (and anyway we can see other logs by tailing for auditbeat, so its probably not the issue)
Anything i'm missing? What am i doing wrong?
Have already gone through:
- Not getting TTY translations in Auditbeat 6.7
- Dec 2nd, 2019: [EN][Auditbeat] Monitoring Linux Command Execution
Thanks