1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
<?xml version="1.0" encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id="pam_tty_audit">
<refmeta>
<refentrytitle>pam_tty_audit</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
</refmeta>
<refnamediv id="pam_tty_audit-name">
<refname>pam_tty_audit</refname>
<refpurpose>Enable or disable TTY auditing for specified users</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis id="pam_tty_audit-cmdsynopsis">
<command>pam_tty_audit.so</command>
<arg choice="opt">
disable=<replaceable>patterns</replaceable>
</arg>
<arg choice="opt">
enable=<replaceable>patterns</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 id="pam_tty_audit-description">
<title>DESCRIPTION</title>
<para>
The pam_tty_audit PAM module is used to enable or disable TTY auditing.
By default, the kernel does not audit input on any TTY.
</para>
</refsect1>
<refsect1 id="pam_tty_audit-options">
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>
<option>disable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
For each user matching <option><replaceable>patterns</replaceable></option>,
disable TTY auditing. This overrides any previous <option>enable</option>
option matching the same user name on the command line. See NOTES
for further description of <option><replaceable>patterns</replaceable></option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>enable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
For each user matching <option><replaceable>patterns</replaceable></option>,
enable TTY auditing. This overrides any previous <option>disable</option>
option matching the same user name on the command line. See NOTES
for further description of <option><replaceable>patterns</replaceable></option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>open_only</option>
</term>
<listitem>
<para>
Set the TTY audit flag when opening the session, but do not restore
it when closing the session. Using this option is necessary for
some services that don't <function>fork()</function> to run the
authenticated session, such as <command>sudo</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>log_passwd</option>
</term>
<listitem>
<para>
Log keystrokes when ECHO mode is off but ICANON mode is active.
This is the mode in which the tty is placed during password entry.
By default, passwords are not logged. This option may not be
available on older kernels (3.9?).
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id="pam_tty_audit-types">
<title>MODULE TYPES PROVIDED</title>
<para>
Only the <emphasis remap='B'>session</emphasis> type is supported.
</para>
</refsect1>
<refsect1 id='pam_tty_audit-return_values'>
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
<term>PAM_SESSION_ERR</term>
<listitem>
<para>
Error reading or modifying the TTY audit flag. See the system log
for more details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
Success.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 id='pam_tty_audit-notes'>
<title>NOTES</title>
<para>
When TTY auditing is enabled, it is inherited by all processes started by
that user. In particular, daemons restarted by an user will still have
TTY auditing enabled, and audit TTY input even by other users unless
auditing for these users is explicitly disabled. Therefore, it is
recommended to use <option>disable=*</option> as the first option for
most daemons using PAM.
</para>
<para>
To view the data that was logged by the kernel to audit use
the command <command>aureport --tty</command>.
</para>
<para>
The <option><replaceable>patterns</replaceable></option> are comma separated
lists of glob patterns or ranges of uids. A range is specified as
<replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where
one of these values can be empty. If <replaceable>min_uid</replaceable> is
empty only user with the uid <replaceable>max_uid</replaceable> will be
matched. If <replaceable>max_uid</replaceable> is empty users with the uid
greater than or equal to <replaceable>min_uid</replaceable> will be
matched.
</para>
<para>
Please note that passwords in some circumstances may be logged by TTY auditing
even if the <option>log_passwd</option> is not used. For example, all input to
an ssh session will be logged - even if there is a password being typed into
some software running at the remote host because only the local TTY state
affects the local TTY auditing.
</para>
</refsect1>
<refsect1 id='pam_tty_audit-examples'>
<title>EXAMPLES</title>
<para>
Audit all administrative actions.
<programlisting>
session required pam_tty_audit.so disable=* enable=root
</programlisting>
</para>
</refsect1>
<refsect1 id='pam_tty_audit-see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
<refsect1 id='pam_tty_audit-author'>
<title>AUTHOR</title>
<para>
pam_tty_audit was written by Miloslav Trmač
<mitr@redhat.com>.
The log_passwd option was added by Richard Guy Briggs
<rgb@redhat.com>.
</para>
</refsect1>
</refentry>
|