Problems in using auditbeat to collect user commands

About collecting user commands。
I think of two solutions,If there is any misunderstanding, please correct it。
First,we can use pam_tty_audit , configure the system-auth PAM configuration file to enable TTY audting . But there's one bad thing ,the records of non-root users are written to the buffer, and they will not appear in a record until the buffer is full or the session exits. Can't view the records of uploaded es very well. Because it belongs to TTY.
Second,we can use audit rule,"-a always,exit -F arch=b64 -S execve,execveat -k exec". But there's one bad thing,audit will miss shell built-ins(alias,echo).
It was thought of using bash's environment variables to record all the commands used by users, but we imagine that if an attacker bypasses the environment variables or does not apply bash, it will not be recorded.
Do you have any solutions to the above problems? Or other schemes record all user commands.

centos 7.8 , auditbeat 7.5.1, kernel 3.10.0

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.