* Audit filter by TTY
@ 2013-04-26 15:07 John Bambenek
2013-04-26 16:56 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: John Bambenek @ 2013-04-26 15:07 UTC (permalink / raw)
To: linux-audit@redhat.com
I was playing around and wanted to know if there is plans to allow audit rule filters by TTY, or specifically filter when tty != (none) (i.e. interactive login events).
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit filter by TTY
2013-04-26 15:07 Audit filter by TTY John Bambenek
@ 2013-04-26 16:56 ` Steve Grubb
2013-04-26 17:03 ` John Bambenek
0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2013-04-26 16:56 UTC (permalink / raw)
To: linux-audit
On Friday, April 26, 2013 10:07:56 AM John Bambenek wrote:
> I was playing around and wanted to know if there is plans to allow audit
> rule filters by TTY, or specifically filter when tty != (none) (i.e.
> interactive login events).
You can use the pam_tty_audit module to do that. There are no plans to
configure this by auditctl.
-Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit filter by TTY
2013-04-26 16:56 ` Steve Grubb
@ 2013-04-26 17:03 ` John Bambenek
2013-04-26 17:14 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: John Bambenek @ 2013-04-26 17:03 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
I would prefer a solution besides a keylogger that, among other things, happily captures passwords and stores them in the clear in logs.
On Apr 26, 2013, at 11:56 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, April 26, 2013 10:07:56 AM John Bambenek wrote:
>> I was playing around and wanted to know if there is plans to allow audit
>> rule filters by TTY, or specifically filter when tty != (none) (i.e.
>> interactive login events).
>
> You can use the pam_tty_audit module to do that. There are no plans to
> configure this by auditctl.
>
> -Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit filter by TTY
2013-04-26 17:03 ` John Bambenek
@ 2013-04-26 17:14 ` Steve Grubb
2013-04-26 17:27 ` John Bambenek
0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2013-04-26 17:14 UTC (permalink / raw)
To: John Bambenek; +Cc: linux-audit@redhat.com
On Friday, April 26, 2013 12:03:17 PM John Bambenek wrote:
> I would prefer a solution besides a keylogger that, among other things,
> happily captures passwords and stores them in the clear in logs.
That is being worked on:
https://www.redhat.com/archives/linux-audit/2013-March/msg00050.html
The patch still isn't ready, but it will be configured by pam_tty_audit.
-Steve
> On Apr 26, 2013, at 11:56 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, April 26, 2013 10:07:56 AM John Bambenek wrote:
> >> I was playing around and wanted to know if there is plans to allow audit
> >> rule filters by TTY, or specifically filter when tty != (none) (i.e.
> >> interactive login events).
> >
> > You can use the pam_tty_audit module to do that. There are no plans to
> > configure this by auditctl.
> >
> > -Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Audit filter by TTY
2013-04-26 17:14 ` Steve Grubb
@ 2013-04-26 17:27 ` John Bambenek
0 siblings, 0 replies; 5+ messages in thread
From: John Bambenek @ 2013-04-26 17:27 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit@redhat.com
Even better. Thanks.
On Apr 26, 2013, at 12:14 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, April 26, 2013 12:03:17 PM John Bambenek wrote:
>> I would prefer a solution besides a keylogger that, among other things,
>> happily captures passwords and stores them in the clear in logs.
>
> That is being worked on:
> https://www.redhat.com/archives/linux-audit/2013-March/msg00050.html
>
> The patch still isn't ready, but it will be configured by pam_tty_audit.
>
> -Steve
>
>> On Apr 26, 2013, at 11:56 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>>> On Friday, April 26, 2013 10:07:56 AM John Bambenek wrote:
>>>> I was playing around and wanted to know if there is plans to allow audit
>>>> rule filters by TTY, or specifically filter when tty != (none) (i.e.
>>>> interactive login events).
>>>
>>> You can use the pam_tty_audit module to do that. There are no plans to
>>> configure this by auditctl.
>>>
>>> -Steve
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-04-26 17:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-26 15:07 Audit filter by TTY John Bambenek
2013-04-26 16:56 ` Steve Grubb
2013-04-26 17:03 ` John Bambenek
2013-04-26 17:14 ` Steve Grubb
2013-04-26 17:27 ` John Bambenek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox