Linux Auditing System (auditd)
- Version 15.x
- Version 14.x
- Version 13.x
- Version 12.x
- Older Versions
- Available for:
You can configure Teleport's SSH Service to integrate with the Linux Auditing System (auditd).
To check version information, run the
tctl version and
tsh version commands.
Teleport Enterprise v13.3.9 git:api/14.0.0-gd1e081e go1.21tsh version
Teleport v13.3.9 go1.21Proxy version: 13.3.9Proxy: teleport.example.com
- A running Teleport Node. See the Server Access Getting Started Guide for how to add a Node to your Teleport cluster. On the Node,
teleportmust be running as a systemd service with root permissions.
- Linux kernel 2.6.6+ compiled with
CONFIG_AUDIT. Most Linux distributions have this option enabled by default.
auditctlto check auditd status (optional).
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands on your administrative workstation using your current credentials. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
Teleport automatically sends auditd events when it discovers that auditd is enabled in the system.
You can verify that by calling
auditctl -s as root.
Here is an example output from that command:
$ sudo auditctl -s enabled 1 failure 1 pid 879 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 backlog_wait_time_actual 0 loginuid_immutable 0 unlocked
The first line
enabled 1 indicates that auditd is enabled, and Teleport will send events.
All events are generated on a Teleport Node.
invalid user events are also generated on the Proxy Service when a Teleport user fails to authenticate.
It's important to run Teleport as a system service (systemd service, for example) with root permissions. Otherwise, Teleport won't send any events to auditd due to lack of permissions.
Make sure that the Teleport process has its login UID unset. Otherwise, a session ID won't be set correctly in the emitted events.
You can verify that by calling
cat /proc/$(pidof teleport)/loginuid. The value should be set to 4294967295.
Auditd can generate additional events when PAM (Pluggable Authentication Modules) is enabled. To enable the PAM integration
in Teleport, add the following
pam section to the configuration file on your Teleport Node (
/etc/teleport.yaml by default):
ssh_service: # Enabled SSH Service enabled: true # Enable PAM integration pam: # "no" by default enabled: true # use /etc/pam.d/sshd configuration (the default) service_name: "sshd"
PAM-generated events depend on your
sshd configuration when the integration is enabled. Most system generates events
USER_START. Additionally, TTY input can be logged by enabling the
For more details please refer to PAM or your operating system documentation.
When PAM integration is enabled, auditd events should closely match events generated by OpenSSH.
There are a few ways to trace SSH sessions in Teleport. To interact with auditd events, we will use
If your system is missing that tool, consult your distribution documentation to check how to install it.
You can search events when logging in as a system user by using the
You can check the UID of a user by using the
$ id bob uid=1000(bob) gid=1000(bob) groups=1000(bob)
Then you can use
uid to search auditd logs:
ausearch -ua 1000 -m USER_LOGIN
Events sent to auditd by Teleport are augmented by the
teleportUser field, which contains the name of the Teleport user.
ausearch doesn't let you search by custom fields, but you can use
grep for that:
ausearch -m USER_LOGIN | grep teleportUser=bob
If you want to find all events generated by a specific session, first, you need to find the session ID. You can do that by using:
ausearch -m USER_LOGIN -x teleport --just-one
Then search events only related to that one session:
ausearch --session 42