TTY Auditing Different in RHEL 8

Solution Unverified - Updated -

Issue

  • After enabling pam_tty_audit as described in How to use pam_tty_audit.so? in RHEL 7 and earlier, aureport shows logs line by line with time stamps. eg:

    44. 31/05/20 21:58:31 5800 1000 ? 665 ? "date"
45. 31/05/20 21:58:35 5801 1000 ? 665 bash <up>,<up>,<up>,<up>,<ret>
46. 31/05/20 21:58:35 5802 1000 ? 665 ? "aureport --tty"

    In RHEL 8, however, the whole session gets concatenated on to a single line with only one timestamp

    12. 31/05/20 21:59:01 2031 1000 ? 12 bash <up>,<ret>,"passwd",<ret>,<^R>,"ls",<^R>,<^R>,<^R>,"diffman ssshd",
<left>,<left>,<backspace>,<end>,"_config",<ret>,"cat /etc/red",<tab>,<ret>,"rpm -qa|grep faill",<ret>,
"rpm -ql pam",<ret>,"man pam_faillcok",<left>,<left>,<backspace>,<right>,"c",<ret>,<up>,<home>,<up>,<left>,<left>,
<left>,<left>,<backspace>,"c",<ret>,"vim /etc/security/faillock.conf",<ret>,<up>,<ret>,"find / -name system-auth",
<ret>,"cat /usr/share/authselect/default/sssd/system-auth",<ret>,"man pam_pwquality",<ret>,<up>,<up>,<home>,
<delete>,<delete>,<delete>,"diff cd /etc/pam.",<tab>,<ret>,"grep pam_tty",<ret>,<up>," *",<ret>,"cat system",
<tab>,"-a",<tab>,<ret>,<up>,"cat pass",<tab>,"o",<tab>,<ret>,<up>,<ret>,<^D>

  • In RHEL7 pam_tty_audit logs are immediately available via aureport and logged individually:

    [root@rhel-7 ~]#  aureport --tty -ts today

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
10. 12/09/2019 21:41:56 773 1000 ? 5 bash "one",<ret>
11. 12/09/2019 21:41:56 774 1000 ? 5 ? "one"
12. 12/09/2019 21:41:58 775 1000 ? 5 bash "two",<ret>
13. 12/09/2019 21:41:58 776 1000 ? 5 ? "two"
14. 12/09/2019 21:41:59 777 1000 ? 5 bash "three",<ret>
15. 12/09/2019 21:41:59 778 1000 ? 5 ? "three"

    In RHEL 8 they don't get logged until user logs out and are all logged as one entry.

    [root@rhel-8 ~]# aureport --tty -ts today

TTY Report
===============================================
# date time event auid term sess comm data
===============================================

[root@rhel-8]# logout
Connection to 127.0.0.1 closed.

    After logging back in:

    [root@rhel-8 ~]# aureport --tty -ts today

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
7. 09/12/19 22:23:59 162 1000 ? 5 bash <up>,<up>,<up>,<up>,<ret>,"cd /var/log/ss",<tab>,<ret>,"ll",<ret>,"cat *",<ret>,"cat /etc/pam.",<tab>,"sudo",<ret>,<ret>,<ret>,<ret>,<ret>,"one",<ret>,"two",<ret>,"three",<ret>,<^R>,"au",<ret>,"date",<ret>,<^D>

Environment

  • Red Hat Enterprise Linux (RHEL) 8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content