pam_tty_audit.so does not create USER_TTY events
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Issue
When session required pam_tty_audit.so enable=* is added to PAM configurations, it generates TTY events but no USER_TTY events. This is verified using the aureport --tty command after the session has ended.
Resolution
- The pam_tty_audit PAM module enables or disables TTY auditing, which is not enabled by default in the kernel.
- Required parameters to enable for all users:
# vi /etc/pam.d/sshd
--snip--
account include password-auth
password include password-aut
session required pam_tty_audit.so enable=* # <---- add this line
# pam_selinux.so close should be the first session rule
- Required parameters to enable for specific users:
# vi /etc/pam.d/sshd
--snip--
account include password-auth
password include password-aut
session required pam_tty_audit.so disable=* enable=<user1>,<user2> # <---- add this line
# pam_selinux.so close should be the first session rule
- Then check:
# aureport --tty
The output expected is similar to the below:
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 08/23/2023 18:02:02 749 1660800009 pts1 8 bash "ls",<ret>,"cat /et",<tab>,"res",<backspace>,"d",<tab>,<ret>,<^D>
Important:
By default, pam_tty_audit does NOT log keystrokes when the TTY is in password entry mode. Logging can be re-enabled by adding the log_passwd option along with the other options in the following way:
session required pam_tty_audit.so disable=username,username2 enable=username log_passwd
Also, see more information about pam_tty_audit and pam_tty_audit on man page:
# man pam_tty_audit
# man pam_debug
References:
7.9. Configuring PAM for Auditing Red Hat Enterprise Linux 6 | Red Hat Customer Portal
Root Cause
By default, the kernel does not audit input on any TTY.
Diagnostic Steps
- check that all keystrokes by the user are being registered:
# aureport --tty
If the pam_tty_audit.so module is not enabled, the output will appear as follows:
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>
- Check if you can find the following string in /etc/pam.d/sshd file.
# grep -r pam_tty_audit.so /etc/pam.d/sshd
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments