diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.8 | 131 | ||||
-rw-r--r-- | modules/pam_tty_audit/pam_tty_audit.8.xml | 192 |
2 files changed, 323 insertions, 0 deletions
diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8 new file mode 100644 index 0000000..e080081 --- /dev/null +++ b/modules/pam_tty_audit/pam_tty_audit.8 @@ -0,0 +1,131 @@ +'\" t +.\" Title: pam_tty_audit +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 05/18/2018 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TTY_AUDIT" "8" "05/18/2018" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_tty_audit \- Enable or disable TTY auditing for specified users +.SH "SYNOPSIS" +.HP \w'\fBpam_tty_audit\&.so\fR\ 'u +\fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR] +.SH "DESCRIPTION" +.PP +The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&. +.SH "OPTIONS" +.PP +\fBdisable=\fR\fB\fIpatterns\fR\fR +.RS 4 +For each user matching +\fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous +\fBenable\fR +option matching the same user name on the command line\&. See NOTES for further description of +\fB\fIpatterns\fR\fR\&. +.RE +.PP +\fBenable=\fR\fB\fIpatterns\fR\fR +.RS 4 +For each user matching +\fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous +\fBdisable\fR +option matching the same user name on the command line\&. See NOTES for further description of +\fB\fIpatterns\fR\fR\&. +.RE +.PP +\fBopen_only\fR +.RS 4 +Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\*(Aqt +\fBfork()\fR +to run the authenticated session, such as +\fBsudo\fR\&. +.RE +.PP +\fBlog_passwd\fR +.RS 4 +Log keystrokes when ECHO mode is off but ICANON mode is active\&. This is the mode in which the tty is placed during password entry\&. By default, passwords are not logged\&. This option may not be available on older kernels (3\&.9?)\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +Only the +\fBsession\fR +type is supported\&. +.SH "RETURN VALUES" +.PP +PAM_SESSION_ERR +.RS 4 +Error reading or modifying the TTY audit flag\&. See the system log for more details\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\&. +.RE +.SH "NOTES" +.PP +When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use +\fBdisable=*\fR +as the first option for most daemons using PAM\&. +.PP +To view the data that was logged by the kernel to audit use the command +\fBaureport \-\-tty\fR\&. +.PP +The +\fB\fIpatterns\fR\fR +are comma separated lists of glob patterns or ranges of uids\&. A range is specified as +\fImin_uid\fR:\fImax_uid\fR +where one of these values can be empty\&. If +\fImin_uid\fR +is empty only user with the uid +\fImax_uid\fR +will be matched\&. If +\fImax_uid\fR +is empty users with the uid greater than or equal to +\fImin_uid\fR +will be matched\&. +.SH "EXAMPLES" +.PP +Audit all administrative actions\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +session required pam_tty_audit\&.so disable=* enable=root + +.fi +.if n \{\ +.RE +.\} +.sp +.SH "SEE ALSO" +.PP +\fBaureport\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&. diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml new file mode 100644 index 0000000..59a3406 --- /dev/null +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -0,0 +1,192 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_tty_audit"> + + <refmeta> + <refentrytitle>pam_tty_audit</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_tty_audit-name"> + <refname>pam_tty_audit</refname> + <refpurpose>Enable or disable TTY auditing for specified users</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_tty_audit-cmdsynopsis"> + <command>pam_tty_audit.so</command> + <arg choice="opt"> + disable=<replaceable>patterns</replaceable> + </arg> + <arg choice="opt"> + enable=<replaceable>patterns</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_tty_audit-description"> + <title>DESCRIPTION</title> + <para> + The pam_tty_audit PAM module is used to enable or disable TTY auditing. + By default, the kernel does not audit input on any TTY. + </para> + </refsect1> + + <refsect1 id="pam_tty_audit-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>disable=<replaceable>patterns</replaceable></option> + </term> + <listitem> + <para> + For each user matching <option><replaceable>patterns</replaceable></option>, + disable TTY auditing. This overrides any previous <option>enable</option> + option matching the same user name on the command line. See NOTES + for further description of <option><replaceable>patterns</replaceable></option>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>enable=<replaceable>patterns</replaceable></option> + </term> + <listitem> + <para> + For each user matching <option><replaceable>patterns</replaceable></option>, + enable TTY auditing. This overrides any previous <option>disable</option> + option matching the same user name on the command line. See NOTES + for further description of <option><replaceable>patterns</replaceable></option>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>open_only</option> + </term> + <listitem> + <para> + Set the TTY audit flag when opening the session, but do not restore + it when closing the session. Using this option is necessary for + some services that don't <function>fork()</function> to run the + authenticated session, such as <command>sudo</command>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>log_passwd</option> + </term> + <listitem> + <para> + Log keystrokes when ECHO mode is off but ICANON mode is active. + This is the mode in which the tty is placed during password entry. + By default, passwords are not logged. This option may not be + available on older kernels (3.9?). + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_tty_audit-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <emphasis remap='B'>session</emphasis> type is supported. + </para> + </refsect1> + + <refsect1 id='pam_tty_audit-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Error reading or modifying the TTY audit flag. See the system log + for more details. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_tty_audit-notes'> + <title>NOTES</title> + <para> + When TTY auditing is enabled, it is inherited by all processes started by + that user. In particular, daemons restarted by an user will still have + TTY auditing enabled, and audit TTY input even by other users unless + auditing for these users is explicitly disabled. Therefore, it is + recommended to use <option>disable=*</option> as the first option for + most daemons using PAM. + </para> + <para> + To view the data that was logged by the kernel to audit use + the command <command>aureport --tty</command>. + </para> + <para> + The <option><replaceable>patterns</replaceable></option> are comma separated + lists of glob patterns or ranges of uids. A range is specified as + <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where + one of these values can be empty. If <replaceable>min_uid</replaceable> is + empty only user with the uid <replaceable>max_uid</replaceable> will be + matched. If <replaceable>max_uid</replaceable> is empty users with the uid + greater than or equal to <replaceable>min_uid</replaceable> will be + matched. + </para> + </refsect1> + + <refsect1 id='pam_tty_audit-examples'> + <title>EXAMPLES</title> + <para> + Audit all administrative actions. + <programlisting> +session required pam_tty_audit.so disable=* enable=root + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_tty_audit-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_tty_audit-author'> + <title>AUTHOR</title> + <para> + pam_tty_audit was written by Miloslav Trmač + <mitr@redhat.com>. + The log_passwd option was added by Richard Guy Briggs + <rgb@redhat.com>. + </para> + </refsect1> + +</refentry> |