Not getting TTY translations in Auditbeat 6.7

hobapolis · July 22, 2019, 4:50pm

Hello!

I'm trying to get auditbeat to translate my TTY. I have the basics set up properly and I'm, for now, using the default rules that come out of the box with auditbeat.

My /etc/pam.d/common-session file ends with

session   required pam_tty_audit.so enable=*

What I'd like to see is something along the lines of what /var/log/audit.log spits out:

type=TTY msg=audit(1563826068.496:30191): tty pid=22321 uid=0 auid=1059801645 ses=17 major=136 minor=1 comm="vim" data=1B5B323B32521B5B3E303B39353B30636A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6B6B6B6B6B6B6B6B6B6B6B6B3A710D

It seems like this is do-able as another user had a somewhat-related question last year:

Specifically this line:

"data": "y\n", # <- KEYSTROKES HERE

I cannot seem to get this in any of my fields. I'm happy to post my rules but they are simply the default ones that come with Auditbeat.

Would love any help/suggestions.

FWIW I'm using AWS Elasticsearch 6.7

adrisr · July 22, 2019, 10:20pm

Can you confirm that you see the keystrokes in:

# aureport --tty

If not, then there's a misconfiguration in your tty logging setup.

hobapolis · July 23, 2019, 12:09pm

i wasn't aware that auditd had to be installed on the instance running auditbeat in order to get TTY translation working.

that being said there is loads of entries running that command. i don't see any of them reflected in my elasticsearch cluster via kibana

system · August 13, 2019, 12:09pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.