Linux Auditing System (auditd)
- Available for:
You can configure Teleport's SSH Service to integrate with the Linux Auditing System (auditd).
- A running Teleport Node. See the Server Access Getting Started Guide for how to add a Node to your Teleport cluster. On the Node,
teleportmust be running as a systemd service with root permissions.
- Linux kernel 2.6.6+ compiled with
CONFIG_AUDIT. Most Linux distributions have this option enabled by default.
auditctlto check auditd status (optional).
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
Teleport automatically sends auditd events when it discovers that auditd is enabled in the system.
You can verify that by calling
auditctl -s as root.
Here is an example output from that command:
$ sudo auditctl -s
loginuid_immutable 0 unlocked
The first line
enabled 1 indicates that auditd is enabled, and Teleport will send events.
All events are generated on a Teleport Node.
invalid user events are also generated on the Proxy Service when a Teleport user fails to authenticate.
It's important to run Teleport as a system service (systemd service, for example) with root permissions. Otherwise, Teleport won't send any events to auditd due to lack of permissions.
Make sure that the Teleport process has its login UID unset. Otherwise, a session ID won't be set correctly in the emitted events.
You can verify that by calling
cat /proc/$(pidof teleport)/loginuid. The value should be set to 4294967295.
Auditd can generate additional events when PAM (Pluggable Authentication Modules) is enabled. To enable the PAM integration
in Teleport, add the following
pam section to the configuration file on your Teleport Node (
/etc/teleport.yaml by default):
# Enabled SSH Service
# Enable PAM integration
# "no" by default
# use /etc/pam.d/sshd configuration (the default)
PAM-generated events depend on your
sshd configuration when the integration is enabled. Most system generates events
USER_START. Additionally, TTY input can be logged by enabling the
For more details please refer to PAM or your operating system documentation.
When PAM integration is enabled, auditd events should closely match events generated by OpenSSH.
There are a few ways to trace SSH sessions in Teleport. To interact with auditd events, we will use
If your system is missing that tool, consult your distribution documentation to check how to install it.
You can search events when logging in as a system user by using the
You can check the UID of a user by using the
$ id bob
uid=1000(bob) gid=1000(bob) groups=1000(bob)
Then you can use
uid to search auditd logs:
ausearch -ua 1000 -m USER_LOGIN
Events sent to auditd by Teleport are augmented by the
teleportUser field, which contains the name of the Teleport user.
ausearch doesn't let you search by custom fields, but you can use
grep for that:
ausearch -m USER_LOGIN | grep teleportUser=bob
If you want to find all events generated by a specific session, first, you need to find the session ID. You can do that by using:
ausearch -m USER_LOGIN -x teleport --just-one
Then search events only related to that one session:
ausearch --session 42