TTY Auditing Different in RHEL 8
Issue
-
After enabling pam_tty_audit as described in How to use pam_tty_audit.so? in RHEL 7 and earlier,
aureport
shows logs line by line with time stamps. eg:44. 31/05/20 21:58:31 5800 1000 ? 665 ? "date" 45. 31/05/20 21:58:35 5801 1000 ? 665 bash <up>,<up>,<up>,<up>,<ret> 46. 31/05/20 21:58:35 5802 1000 ? 665 ? "aureport --tty"
In RHEL 8, however, the whole session gets concatenated on to a single line with only one timestamp
12. 31/05/20 21:59:01 2031 1000 ? 12 bash <up>,<ret>,"passwd",<ret>,<^R>,"ls",<^R>,<^R>,<^R>,"diffman ssshd", <left>,<left>,<backspace>,<end>,"_config",<ret>,"cat /etc/red",<tab>,<ret>,"rpm -qa|grep faill",<ret>, "rpm -ql pam",<ret>,"man pam_faillcok",<left>,<left>,<backspace>,<right>,"c",<ret>,<up>,<home>,<up>,<left>,<left>, <left>,<left>,<backspace>,"c",<ret>,"vim /etc/security/faillock.conf",<ret>,<up>,<ret>,"find / -name system-auth", <ret>,"cat /usr/share/authselect/default/sssd/system-auth",<ret>,"man pam_pwquality",<ret>,<up>,<up>,<home>, <delete>,<delete>,<delete>,"diff cd /etc/pam.",<tab>,<ret>,"grep pam_tty",<ret>,<up>," *",<ret>,"cat system", <tab>,"-a",<tab>,<ret>,<up>,"cat pass",<tab>,"o",<tab>,<ret>,<up>,<ret>,<^D>
-
In RHEL7 pam_tty_audit logs are immediately available via aureport and logged individually:
[root@rhel-7 ~]# aureport --tty -ts today TTY Report =============================================== # date time event auid term sess comm data =============================================== 10. 12/09/2019 21:41:56 773 1000 ? 5 bash "one",<ret> 11. 12/09/2019 21:41:56 774 1000 ? 5 ? "one" 12. 12/09/2019 21:41:58 775 1000 ? 5 bash "two",<ret> 13. 12/09/2019 21:41:58 776 1000 ? 5 ? "two" 14. 12/09/2019 21:41:59 777 1000 ? 5 bash "three",<ret> 15. 12/09/2019 21:41:59 778 1000 ? 5 ? "three"
In RHEL 8 they don't get logged until user logs out and are all logged as one entry.
[root@rhel-8 ~]# aureport --tty -ts today TTY Report =============================================== # date time event auid term sess comm data =============================================== [root@rhel-8]# logout Connection to 127.0.0.1 closed.
After logging back in:
[root@rhel-8 ~]# aureport --tty -ts today TTY Report =============================================== # date time event auid term sess comm data =============================================== 7. 09/12/19 22:23:59 162 1000 ? 5 bash <up>,<up>,<up>,<up>,<ret>,"cd /var/log/ss",<tab>,<ret>,"ll",<ret>,"cat *",<ret>,"cat /etc/pam.",<tab>,"sudo",<ret>,<ret>,<ret>,<ret>,<ret>,"one",<ret>,"two",<ret>,"three",<ret>,<^R>,"au",<ret>,"date",<ret>,<^D>
Environment
- Red Hat Enterprise Linux (RHEL) 8
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.