Auditing device files
Richard Guy Briggs
rgb at redhat.com
Tue Jul 26 15:05:26 UTC 2016
On 2016-07-26 09:40, Ed Christiansen MS wrote:
> Here's a place to start
> http://linux.die.net/man/8/pam_tty_audit
It is a place to start, but that page is a bit out of date, since
pam_tty_audit now has a "log_passwd" option that isn't documented on
that page.
This is a bit more up to date:
https://www.mankier.com/8/pam_tty_audit
> On 7/26/2016 5:00 AM, Pavithra P wrote:
> >Hi,
> >
> >I am trying to see what commands are typed in my terminal and serial
> >port. For that I am using auditd daemon which helps me in auditing
> >files.
> >I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for
> >seeing whats happening on terminal and serial device respectively
> >
> >auditctl -w /dev/tty -p rwx -k terminal
> >auditctl -w /dev/ttyAMA0 -p rwx -k serialport
> >
> >But this records only the echo on tty. I cant audit all the commands
> >typed on the terminal. I enabled tty logging in the PAM file too by
> >adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd
> >file.
> >Is there any other way to do this auditing. I want to use auditd
> >daemon only so that all my auditing log is in one file.
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list