pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit

[Shawn Wells]

Hello,

     I'm using pam-1.1.1-10.el6_2.1.x86_64 on RHEL6 and was hoping to 
gain some knowledge about how the pam_tty_audit works.

     Specifically,
- I have "enable=*" in my pam.d config files, however only keystrokes 
from root are logged
- When sudo'ing from a non-privileged account the users password is 
logged and viewable from "aureport --tty" however I can't find where 
this information is logged to disk. Or is it?

     I'm on RHEL 6.3 and used the following command to config my box for 
pam_tty_audit:
echo "session    required    pam_tty_audit.so enable=*" 
/etc/pam.d/{su,sudo,sudo-i,su-l,login,system-auth}

     I also tried:
session    required    pam_tty_audit.so enable=root,shawn

     And also:
session    required    pam_tty_audit.so disable=* enable=root,shawn

     None of those three configurations seem to be auditing the user 
"shawn."

     I just downloaded the latest stable source and have started going 
through modules/pam_tty_audit/pam_tty_audit.c to better understand how 
event data is passed from the pam_tty_audit module back to PAM to be 
written to disk, but any pointers would be hugely welcome!

-Shawn