diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:38:36 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:38:36 +0000 |
commit | 26367bfc399cb3862f94ddca8fce87f98f26d67e (patch) | |
tree | ba3a4e02ed5ec62fe645dfa810c01d26decf591f /modules/pam_tty_audit/README | |
parent | Initial commit. (diff) | |
download | pam-upstream.tar.xz pam-upstream.zip |
Adding upstream version 1.3.1.upstream/1.3.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/pam_tty_audit/README')
-rw-r--r-- | modules/pam_tty_audit/README | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README new file mode 100644 index 0000000..ac947a3 --- /dev/null +++ b/modules/pam_tty_audit/README @@ -0,0 +1,64 @@ +pam_tty_audit — Enable or disable TTY auditing for specified users + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_tty_audit PAM module is used to enable or disable TTY auditing. By +default, the kernel does not audit input on any TTY. + +OPTIONS + +disable=patterns + + For each user matching patterns, disable TTY auditing. This overrides any + previous enable option matching the same user name on the command line. See + NOTES for further description of patterns. + +enable=patterns + + For each user matching patterns, enable TTY auditing. This overrides any + previous disable option matching the same user name on the command line. + See NOTES for further description of patterns. + +open_only + + Set the TTY audit flag when opening the session, but do not restore it when + closing the session. Using this option is necessary for some services that + don't fork() to run the authenticated session, such as sudo. + +log_passwd + + Log keystrokes when ECHO mode is off but ICANON mode is active. This is the + mode in which the tty is placed during password entry. By default, + passwords are not logged. This option may not be available on older kernels + (3.9?). + +NOTES + +When TTY auditing is enabled, it is inherited by all processes started by that +user. In particular, daemons restarted by an user will still have TTY auditing +enabled, and audit TTY input even by other users unless auditing for these +users is explicitly disabled. Therefore, it is recommended to use disable=* as +the first option for most daemons using PAM. + +To view the data that was logged by the kernel to audit use the command +aureport --tty. + +The patterns are comma separated lists of glob patterns or ranges of uids. A +range is specified as min_uid:max_uid where one of these values can be empty. +If min_uid is empty only user with the uid max_uid will be matched. If max_uid +is empty users with the uid greater than or equal to min_uid will be matched. + +EXAMPLES + +Audit all administrative actions. + +session required pam_tty_audit.so disable=* enable=root + + +AUTHOR + +pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. The log_passwd +option was added by Richard Guy Briggs <rgb@redhat.com>. + |