[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit


I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to gain some knowledge about how the pam_tty_audit works.

- I have "enable=*" in my pam.d config files, however only keystrokes from root are logged - When sudo'ing from a non-privileged account the users password is logged and viewable from "aureport --tty" however I can't find where this information is logged to disk. Or is it?

I'm on RHEL 6.3 and used the following command to config my box for pam_tty_audit: echo "session required pam_tty_audit.so enable=*" /etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}

    I also tried:
session    required    pam_tty_audit.so enable=root,shawn

    And also:
session    required    pam_tty_audit.so disable=* enable=root,shawn

None of those three configurations seem to be auditing the user "shawn."

I just downloaded the latest stable source and have started going through modules/pam_tty_audit/pam_tty_audit.c to better understand how event data is passed from the pam_tty_audit module back to PAM to be written to disk, but any pointers would be hugely welcome!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]