How to configure auditd to register like internal bash commands?
Christian, Mark
mark.christian at intel.com
Wed Feb 9 00:54:18 UTC 2022
On Wed, 2022-02-09 at 01:24 +0100, André Letterer wrote:
> Yeah, it's a very good start.
> However it seems it still doesn't do what I want.
>
> It seems only changing the 2 files doesn't do the job:
>
> nano /etc/pam.d/system-auth
> session required pam_tty_audit.so disable=*
> enable=logs log_passwd
> nano /etc/pam.d/password-auth
> session required pam_tty_audit.so disable=*
> enable=logs log_passwd
>
> I get much more entries in /var/log/audit/audit.log for user logs
> like for instance if I su to this one.
>
> However unfortunately commands like "history -c" don't still trigger
> an entry...
>
> Is there still a follow-up idea on this?
$ man pam_tty_audit
hint consider removing disable=* and modifying enable=logs to something
else, unless of course the only account you want to tty audit is an
account named "logs".
Mark
More information about the Linux-audit
mailing list