Score:-1

Configuring FreeRADIUS to log user commands

eg flag

I need to be able to configure a radius server to log users' activities like the commands they're running whilst they were logged into a client device. Entries should be made in the /var/log/freeradius/radius.log file.

djdomi avatar
za flag
too less information. What did you already tried, what's the exact issue you are facing. Currently you are telling your car is broken just as an opposite example
eg flag
Right now it is configured to just send the log in info to the file /var/log/freeradius/radius.log . That is is shows in the log the user who logged in and the password they use to log in. I want to be able to see what they did when they log in Ex ; user do ls -l command , i can see that in the log file on the radius server .
Score:0
cn flag

I don't believe this is possible with Radius, it's not really what it is designed for.

What you are probably looking for is something like tlog and if you want the logs all to be centrally stored setting up systemd (or what ever logger you are using) to send the logs to a central remote host (could be the same machine you are running the Radius server on).

Score:0
my flag

This functionality was never defined in a standard and so varies from vendor to vendor. If this functionality is supported by the NAS (Network Access Server), then the NAS will copy the command entered by the user into a VSA (Vendor Specific Attribute). The NAS will then send that attribute to the RADIUS server in an Accounting-Request/Interim-Update along with attributes to identify the NAS and user. You will likely need to enable command logging via RADIUS explicitly in the NAS' configuration as it is almost never enabled by default.

For logging commands it's best to use the linelog module. You'll also need a conditional check to only call linelog if the command attribute is present in the Accounting-Request/Interim-Update packet, as these command logging packets will be mixed in with the normal accounting stream.

I've used HP-Command-String as the example attribute here, but the actual attribute will vary from vendor to vendor. You should examine the incoming Accounting-Request packets to see which VSA contains the command the user issued.

Add the following lines to your FreeRADIUS configuration files, and ensure mods-available/linelog is linked to mods-enabled/linelog.

sites-available/default

accounting {
    if (&HP-Command-String) {
        log_commands
    }
}

mods-available/linelog

linelog log_commands {
    format = "user=%{User-Name}, command=%{HP-Command-String}"
    filename = ${logdir}/radius.log
}

After you restart freeradius you should see commands being appended to /var/log/radius/radius.log or /var/log/freeradius/radius.log depending on your distribution.

See mods-available/linelog for more confirmation options for the linelog module.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.