이 콘텐츠는 선택한 언어로 제공되지 않습니다.

7.9. Configuring PAM for Auditing


7.9.1. Configuring pam_tty_audit

The audit system in Red Hat Enterprise Linux uses the pam_tty_audit PAM module to enable or disable auditing of TTY input for specified users. When the audited user logs in, pam_tty_audit records the exact keystrokes the user makes into the /var/log/audit/audit.log file. The module works with the auditd daemon, so make sure it is enabled before configuring pam_tty_audit. See Section 7.4, “Starting the audit Service” for more information.
When you want to specify user names for TTY auditing, modify the /etc/pam.d/system-auth and /etc/pam.d/password-auth files using the disable and enable options in the following format:
 session required pam_tty_audit.so disable=username,username2 enable=username 
Copy to Clipboard Toggle word wrap
You can specify one or more user names separated by commas in the options. Any disable or enable option overrides the previous opposite option which matches the same user name. When TTY auditing is enabled, it is inherited by all processes started by that user. In particular, daemons restarted by a user will still have TTY auditing enabled, and will audit TTY input even by other users, unless auditing for these users is explicitly disabled. Therefore, it is recommended to use disable=* as the first option for most daemons using PAM.

Important

By default, pam_tty_audit does NOT log keystrokes when the TTY is in password entry mode. Logging can be re-enabled by adding the log_passwd option along with the other options in the following way:
 session required pam_tty_audit.so disable=username,username2 enable=username log_passwd 
Copy to Clipboard Toggle word wrap
When you enable the module, the input is logged in the /var/log/audit/audit.log file, written by the auditd daemon. Note that the input is not logged immediately, because TTY auditing first stores the keystrokes in a buffer and writes the record periodically, or once the audited user logs out. The audit.log file contains all keystrokes entered by the specified user, including backspaces, delete and return keys, the control key and others. Although the contents of audit.log are human-readable it might be easier to use the aureport utility, which provides a TTY report in a format which is easy to read. You can use the following command as root:
~]# aureport --tty
Copy to Clipboard Toggle word wrap
The following is an example of how to configure pam_tty_audit to track the actions of the root user across all terminals and then review the input.

Example 7.8. Configuring pam_tty_audit to log root actions

Enter the following line in the session section of the /etc/pam.d/system-auth and /etc/pam.d/password-auth files:
session    required     pam_tty_audit.so disable=* enable=root
Copy to Clipboard Toggle word wrap
Use the aureport --tty command to view the log. If the root user has logged in a TTY console at around 11:00 o'clock and tried to issue the pwd command, but then deleted it and issued ls instead, the report will look like this:
~]# aureport --tty -ts today | tail			
40. 08/28/2014 11:00:27 901 0 ? 76 bash "pwd",<backspace>,<backspace><backspace>,"ls",<ret>
41. 08/28/2014 11:00:29 903 0 ? 76 bash <^D>
Copy to Clipboard Toggle word wrap
For more information, see the pam_tty_audit(8) manual page.
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat