I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to
gain some knowledge about how the pam_tty_audit works.
- I have "enable=*" in my pam.d config files, however only keystrokes
from root are logged
- When sudo'ing from a non-privileged account the users password is
logged and viewable from "aureport --tty" however I can't find where
this information is logged to disk. Or is it?
I'm on RHEL 6.3 and used the following command to config my box for
echo "session required pam_tty_audit.so enable=*"
I also tried:
session required pam_tty_audit.so enable=root,shawn
session required pam_tty_audit.so disable=* enable=root,shawn
None of those three configurations seem to be auditing the user
I just downloaded the latest stable source and have started going
through modules/pam_tty_audit/pam_tty_audit.c to better understand how
event data is passed from the pam_tty_audit module back to PAM to be
written to disk, but any pointers would be hugely welcome!
Pam-list mailing list