Strange behavior with pam_tty_audit
Steve Grubb
sgrubb at redhat.com
Tue Nov 14 13:53:02 UTC 2017
Hello,
On Tuesday, November 14, 2017 8:29:34 AM EST Maupertuis Philippe wrote:
> The auditd rules for PCI reads :
> ## 10.2.2 Log administrative action. To meet this, you need to enable tty
> ## logging. The pam config below should be placed into su and sudo pam
> stacks. ## session required pam_tty_audit.so disable=* enable=root
>
> I have noticed that nothing happened unless I add in /etc/pam.d/sshd
> session required pam_tty_audit.so enable=*
If I understand, you deleted the 'disable=*' and replaced 'root' with '*'.
That would be unusual. The command line is processed from left to right. So,
what should happen in the original rule is disable auditing of all users, then
enable auditing of only root. PCI wants administrative actions which would
only be the root user.
> At which point I get
>
> Should it be done that way ?
> Did I miss something ?
It works for me as specified in the PCI rules. (Tested using su.) Note that
the kernel caches the keystrokes and you do not get a 1x1 mapping of events to
commands entered. You will likely get multiple commands all strung together.
It only creates the event when either it fills the buffer or the user ends the
privileged session.
-Steve
More information about the Linux-audit
mailing list