To set up a comprehensive session recording and shipping of logs using PAM and rsyslog on a Linux system, you will need to follow several steps. Below is a general guideline for achieving this:
To record and store session logs using tlog, you can follow these steps:
Install Tlog:
Make sure tlog is installed on your system. You can typically install it using your system's package manager. For example, on Debian-based systems:
sudo apt-get install tlog
Create a Directory for Tlog Logs:
Create a directory to store the Tlog session logs. This should be a secure location with appropriate permissions.
sudo mkdir /var/log/tlog sudo chown root:adm /var/log/tlog sudo chmod 750 /var/log/tlog
Create or edit the Tlog configuration file. The configuration file for tlog is often located at /etc/tlog/tlog-rec-session.conf. Customize it to meet your requirements. Below is a simple example:
# /etc/tlog/tlog-rec-session.conf tty_path = /var/log/tlog/%{user}/%Y-%m-%d/%{session}.%{tty}.log
This configuration will store session logs in /var/log/tlog directory in separate folders for each user.
Restart Services:
Restart the sshd service to apply the PAM changes:
sudo systemctl restart sshd
Test the Configuration:
Log in to the system via SSH or locally and execute some commands. The session logs should now be recorded in the /var/log/tlog directory.
To prevent log files from growing indefinitely, set up log rotation for the Tlog logs in /etc/logrotate.d/tlog:
/var/log/tlog/*/*.log { weekly rotate 4 compress missingok notifempty }
Monitor and Secure the Logs:
Regularly monitor and secure the log files and directories to ensure they cannot be tampered with by unauthorized users.
Please note that the exact file paths and configuration options may vary depending on your Linux distribution and Tlog version. Always consult the documentation and configuration files specific to your system for the most accurate instructions.
Install the auditd package on your Linux system if it's not already installed. Configure Auditd to record login sessions. Create or edit file and add rules similar to the following:
-a always,exit -F arch=b64 -S execve -C uid!=euid -k session -a always,exit -F arch=b32 -S execve -C uid!=euid -k session
These rules ensure that all executed commands are logged.
Install and Configure auditd logging to rsyslog:
Edit and set the following parameter to forward logs to rsyslog:
write_logs = yes
Install and Configure rsyslog:
configure it to receive logs from auditd. Add or modify lines like this:
$ModLoad imuxsock $ModLoad imjournal $ModLoad imklog $ModLoad imfile $InputFilePollInterval 10 $WorkDirectory /var/lib/rsyslog # Send audit logs to a secure location :programname, startswith, "auditd" -/var/log/audit/audit.log # You can also forward logs to a remote syslog server if needed *.* @remote-syslog-server:514
This configuration sends audit logs to /var/log/audit/audit.log. Adjust the path to your desired secure location.
Edit PAM configuration files such as /etc/pam.d/sshd for SSH or /etc/pam.d/login for local logins. Add or modify PAM rules to include session recording. You can use the pam_tlog.so module if available on your system or another suitable module depending on your requirements. Here's an example of a PAM configuration for SSH sessions:
# /etc/pam.d/sshd
session required pam_tlog.so
Ensure that session recording is placed in a directory like /var/log/tlog and configure it to use a secure location.
Restart Services:
Restart the auditd and rsyslog services to apply the changes:
sudo systemctl restart auditd sudo systemctl restart rsyslog
Test the Configuration:
Log in to the system via SSH or locally and execute some commands. Check the /var/log/audit/audit.log file and the /var/log/tlog directory for recorded sessions. Please note that this is a basic setup, and the actual configuration may vary based on your specific requirements and the Linux distribution you are using. Additionally, ensure that your system's security policies and compliance requirements are met with this configuration.