Hello,
I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to
gain some knowledge about how the pam_tty_audit works.
Specifically,
- I have "enable=*" in my pam.d config files, however only keystrokes
from root are logged
- When sudo'ing from a non-privileged account the users password is
logged and viewable from "aureport --tty" however I can't find where
this information is logged to disk. Or is it?
I'm on RHEL 6.3 and used the following command to config my box for
pam_tty_audit:
echo "session required pam_tty_audit.so enable=*"
/etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}
I also tried:
session required pam_tty_audit.so enable=root,shawn
And also:
session required pam_tty_audit.so disable=* enable=root,shawn
None of those three configurations seem to be auditing the user
"shawn."
I just downloaded the latest stable source and have started going
through modules/pam_tty_audit/pam_tty_audit.c to better understand how
event data is passed from the pam_tty_audit module back to PAM to be
written to disk, but any pointers would be hugely welcome!
-Shawn
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list