From mboxrd@z Thu Jan  1 00:00:00 1970
From: Miloslav Trmac <mitr@redhat.com>
Subject: Re: pam_tty_audit
Date: Wed, 12 Dec 2012 06:46:16 -0500 (EST)
Message-ID: <1835115808.46519974.1355312776198.JavaMail.root@redhat.com>
References: <CADDXySrKMGycrH2HNYrAWJ0_9r6T2shckFDePmEGd-_kQH74ww@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5235365964985913665=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3-phx2.redhat.com (mx01.colomx.prod.int.phx2.redhat.com
	[10.5.7.1])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id qBCBkGpK029243
	for <linux-audit@redhat.com>; Wed, 12 Dec 2012 06:46:16 -0500
In-Reply-To: <CADDXySrKMGycrH2HNYrAWJ0_9r6T2shckFDePmEGd-_kQH74ww@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Pieter Baele <pieter.baele@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============5235365964985913665==
Content-Type: multipart/alternative;
	boundary="----=_Part_46519973_1720830451.1355312776197"

------=_Part_46519973_1720830451.1355312776197
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Hello, 
----- Original Message -----

> But if user1 does log on, no commands are logged....

Are you talking about TTY or USER_TTY records, and are you checking immediately after entering the command, or after exiting the session? 

Unprivileged users are not allowed to send USER_TTY records as each command is entered, so the input read by unprivileged users is audited only when the (4 KB) buffer is flushed or the process (i.e. the shell) exits. 
Mirek 

------=_Part_46519973_1720830451.1355312776197
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>Hello,<br><hr id="zwchr"><blockquote id="DWT336" style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">But if user1 does log on, no commands are logged....<br></blockquote><br>Are
 you talking about TTY or USER_TTY records, and are you checking 
immediately after entering the command, or after exiting the session?<br><br>Unprivileged
 users are not allowed to send USER_TTY records as each command is 
entered, so the input read by unprivileged users is audited only when 
the (4 KB) buffer is flushed or the process (i.e. the shell) exits.<br>&nbsp;&nbsp;&nbsp; Mirek<br></div></body></html>
------=_Part_46519973_1720830451.1355312776197--


--===============5235365964985913665==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============5235365964985913665==--