pam_tty_audit bi-directional logging
Steve Grubb
sgrubb at redhat.com
Mon Jun 10 15:55:40 UTC 2013
On Monday, June 10, 2013 11:48:15 AM Miloslav Trmač wrote:
> > > > Is there any way to make pam_tty_audit log not only what the user
> > > > types but also what the server sends back?
> > >
> > > No, this is currently not possible.
> >
> > Impossible as in 1) what is already shipped can't do this, or 2) no amount
> > of code being added to the kernel can do this, or 3) for upstream
> > political reasons?
>
> Primarily 1), also
> 4) auditing output is a little more difficult because it's much more common
> to have a _lot_ of output (e.g. (find -name '*.c')), so TTY auditing should
> probably be able to throttle the TTY throughput. (In principle the same
> problem is with input as well - with a PTY I can cause massive amount of
> data to be audited - but it doesn't occur accidentally.)
Probably would need to escape/drop all the control characters, too, so report
display terminal doesn't get hijacked. :-) But yes, I could see someone
DoS'ing the machine easily now that you mention it.
-Steve
More information about the Linux-audit
mailing list