2

I wanted to monitor all the modifications made to file in Linux server

On some research I found audit tool which I have installed and configured using following commands

yum install audit # installation
/etc/init.d/auditd start # started service
auditctl -w /root/file-name -p war -k password-file # configured rule to audit file 
ausearch -f /root/file-name # Command to search modifications

It has recorded all the modifications made to the specific file

Every thing was good until I came across following

Case 1 : I have deleted file which i am monitoring using audit from the server using following command

rm -rf /root/file-name

It was recorded as following
type=SYSCALL msg=audit(1540222267.321:1057): arch=c000003e syscall=2 success=yes exit=3 a0=7ffe22abf91a a1=941 a2=1b6 a3=7ffe22abed70 items=2 ppid=21053 pid=42458 auid=14628 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="touch" exe="/bin/rm" key="password-file"

Case 2 : I have deleted file from a remote server using following command

ssh cl14470 "echo 'rm -rf /root/chaithu'|sudo su - root"

It was recorded as following
type=SYSCALL msg=audit(1540222588.196:1118): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=ce70c0 a2=0 a3=7fff52a6af40 items=2 ppid=42520 pid=42533 auid=14628 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="rm" exe="/bin/rm" key="password-file"

Now point which confuses me is why tty is recorded as none when I executed command remotely

I have searched over web regarding this but unfortunately I was not able to find any thing which clears my confusion

Could some one explain me why it was recorded as tty=(none) in case 2

Improve this question

1 Answer 1

Reset to default
6

Because that's how to command was executed -- without any controlling tty.

You haven't passed any -t option to ssh, and ssh does not allocate a pseudo-terminal by default when it is called with arguments, as in your case. (ssh cl14470 "echo ...").

This is the default behavior as described in the ssh(1) manpage:

When the user's identity has been accepted by the server, the server either executes the given command in a non-interactive session or, if no command has been specified, logs into the machine and gives the user a normal shell as an interactive session. All communication with the remote command or shell will be automatically encrypted.

If an interactive session is requested ssh by default will only request a pseudo-terminal (pty) for interactive sessions when the client has one. The flags -T and -t can be used to override this behaviour.

So ssh will only allocate a pseudo-terminal on the remote machine by default if a) it is run with no 'command' argument(s) and b) the stdin of the ssh client on the local machine is a tty.

The -t option is forcing ssh to allocate a pseudo-tty, and the -T option is forcing it to not allocate one, irrespective of other factors.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.