[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

tty events



I've written an audit plugin to collect statistical data.
I have collected a lot of data over the past few weeks, and the only puzzler relates to tty data.
I'm using pam_tty_audit and am collecting specific users, including root.

When logged in as root, the tty events are sent to the plugin in near real-time.
However, when logged in as a user, the events are cached someplace and are eventually flushed to the dispatcher/plugin.
The other odd thing is the cached user events are in a single event, and is a collection of multiple tty commands stored into one chunk of data.

I've looked at the source code but do not see where this caching takes place.
I'd like to know if there is a setting to disable this caching and send the events in real time, or at least have a way to break these events up, and acquire a timestamp that matches when the events took place.

Here is a snippet of one of these 'compound' events:

     type=TTY (TTY)
pid=14778 (14778)
uid=501 (robert)
auid=501 (robert)
major=136 (136)
minor=3 (3)
comm="ssh" (ssh)
data=""
("ech",<backspace>,<backspace>,"nv | grep SSH",<ret>,"service auditd
stop",<ret>,<up>,<backspace>,<backspace>,"art",<ret>,"su",
ret>,"password",<ret>,"service auditd stop",<ret>,<up>,<backspace>,
<backspace>,"art",<ret>,"ls",<ret>,"p",<backspace>,"ls",<ret>,"exit",
<ret>,"exit",<ret>)

- Robert


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]