TTY logging using auditd feedback requested

[Edward Bailey]

Greetings

I am looking into using auditd to capture tty logging for all users
and I am having some trouble. Capturing keystrokes is a requirement
from our security team that I am not wild about, but for various
reasons it is what is. We already push all the log data into Splunk so
I am not that concerned with managing the data flow.

We are using snoopy and it works ok, but increasingly we are seeing
issues with how it loads its kernel module on bootup so I am looking
for something better. Auditd would be a good option since we use it
already and could expand its usage and eliminate a tool.

I added the suggested line to capture tty logs to system-auth in pam.d

"session required pam_tty_audit.so enable=*"

restarted auditd

I can see the tty logs from the root user fine, but any other users
are not working as expected. When I do see commands from non root
users the log message is a dump of all the commands run during the
session instead of cleanly separated events for each command. Is that
expected?

I also added syscall rules for execve which work ok but not as good as
the keystroke logging for the root user.

Any idea what is wrong? Is this expected behavior? Any suggestions for
a better method to achieve the requirement?

Thanks

Ed