pam_tty_audit

pam_tty_audit

[Pieter Baele]

[-- Attachment #1.1: Type: text/plain, Size: 628 bytes --]

Hi,

I've some problems configuring the pam_tty_audit module:
In which pam.d files do I need to configure pam_tty_audit? (RHEL)
It seems system-auth is not enough.

Purpose: auditing root and a list of users according to a glob pattern.
I don't want to miss something (logging in from sudo, su -, console, ssh...)
(example here: root and "user1")

On RHEL6 I have

system-auth, su, su-l:
session   required pam_tty_audit.so disable=* enable=root,user1

And for sudo open_only is recommended???
session    required     pam_tty_audit.so open_only enable=root,user1

But if user1 does log on, no commands are logged....

Any idea?

[-- Attachment #1.2: Type: text/html, Size: 729 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: pam_tty_audit

[Miloslav Trmac]

[-- Attachment #1.1: Type: text/plain, Size: 459 bytes --]

Hello, 
----- Original Message -----

> But if user1 does log on, no commands are logged....

Are you talking about TTY or USER_TTY records, and are you checking immediately after entering the command, or after exiting the session? 

Unprivileged users are not allowed to send USER_TTY records as each command is entered, so the input read by unprivileged users is audited only when the (4 KB) buffer is flushed or the process (i.e. the shell) exits. 
Mirek 

[-- Attachment #1.2: Type: text/html, Size: 912 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]