pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to gain some knowledge about how the pam_tty_audit works.

    Specifically,
- I have "enable=*" in my pam.d config files, however only keystrokes from root are logged - When sudo'ing from a non-privileged account the users password is logged and viewable from "aureport --tty" however I can't find where this information is logged to disk. Or is it?

I'm on RHEL 6.3 and used the following command to config my box for pam_tty_audit: echo "session required pam_tty_audit.so enable=*" /etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}

    I also tried:
session    required    pam_tty_audit.so enable=root,shawn

    And also:
session    required    pam_tty_audit.so disable=* enable=root,shawn

None of those three configurations seem to be auditing the user "shawn."

I just downloaded the latest stable source and have started going through modules/pam_tty_audit/pam_tty_audit.c to better understand how event data is passed from the pam_tty_audit module back to PAM to be written to disk, but any pointers would be hugely welcome!

-Shawn

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux