pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to gain some knowledge about how the pam_tty_audit works.

- I have "enable=*" in my pam.d config files, however only keystrokes from root are logged - When sudo'ing from a non-privileged account the users password is logged and viewable from "aureport --tty" however I can't find where this information is logged to disk. Or is it?

I'm on RHEL 6.3 and used the following command to config my box for pam_tty_audit: echo "session required enable=*" /etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}

    I also tried:
session    required enable=root,shawn

    And also:
session    required disable=* enable=root,shawn

None of those three configurations seem to be auditing the user "shawn."

I just downloaded the latest stable source and have started going through modules/pam_tty_audit/pam_tty_audit.c to better understand how event data is passed from the pam_tty_audit module back to PAM to be written to disk, but any pointers would be hugely welcome!


Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux