summaryrefslogtreecommitdiffstats
path: root/modules/pam_tty_audit/pam_tty_audit.8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.8135
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.8.xml199
2 files changed, 334 insertions, 0 deletions
diff --git a/modules/pam_tty_audit/pam_tty_audit.8 b/modules/pam_tty_audit/pam_tty_audit.8
new file mode 100644
index 0000000..628cec4
--- /dev/null
+++ b/modules/pam_tty_audit/pam_tty_audit.8
@@ -0,0 +1,135 @@
+'\" t
+.\" Title: pam_tty_audit
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 09/03/2021
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_TTY_AUDIT" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_tty_audit \- Enable or disable TTY auditing for specified users
+.SH "SYNOPSIS"
+.HP \w'\fBpam_tty_audit\&.so\fR\ 'u
+\fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR]
+.SH "DESCRIPTION"
+.PP
+The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&.
+.SH "OPTIONS"
+.PP
+\fBdisable=\fR\fB\fIpatterns\fR\fR
+.RS 4
+For each user matching
+\fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous
+\fBenable\fR
+option matching the same user name on the command line\&. See NOTES for further description of
+\fB\fIpatterns\fR\fR\&.
+.RE
+.PP
+\fBenable=\fR\fB\fIpatterns\fR\fR
+.RS 4
+For each user matching
+\fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous
+\fBdisable\fR
+option matching the same user name on the command line\&. See NOTES for further description of
+\fB\fIpatterns\fR\fR\&.
+.RE
+.PP
+\fBopen_only\fR
+.RS 4
+Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\*(Aqt
+\fBfork()\fR
+to run the authenticated session, such as
+\fBsudo\fR\&.
+.RE
+.PP
+\fBlog_passwd\fR
+.RS 4
+Log keystrokes when ECHO mode is off but ICANON mode is active\&. This is the mode in which the tty is placed during password entry\&. By default, passwords are not logged\&. This option may not be available on older kernels (3\&.9?)\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+Only the
+\fBsession\fR
+type is supported\&.
+.SH "RETURN VALUES"
+.PP
+PAM_SESSION_ERR
+.RS 4
+Error reading or modifying the TTY audit flag\&. See the system log for more details\&.
+.RE
+.PP
+PAM_SUCCESS
+.RS 4
+Success\&.
+.RE
+.SH "NOTES"
+.PP
+When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by a user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use
+\fBdisable=*\fR
+as the first option for most daemons using PAM\&.
+.PP
+To view the data that was logged by the kernel to audit use the command
+\fBaureport \-\-tty\fR\&.
+.PP
+The
+\fB\fIpatterns\fR\fR
+are comma separated lists of glob patterns or ranges of uids\&. A range is specified as
+\fImin_uid\fR:\fImax_uid\fR
+where one of these values can be empty\&. If
+\fImin_uid\fR
+is empty only user with the uid
+\fImax_uid\fR
+will be matched\&. If
+\fImax_uid\fR
+is empty users with the uid greater than or equal to
+\fImin_uid\fR
+will be matched\&.
+.PP
+Please note that passwords in some circumstances may be logged by TTY auditing even if the
+\fBlog_passwd\fR
+is not used\&. For example, all input to an ssh session will be logged \- even if there is a password being typed into some software running at the remote host because only the local TTY state affects the local TTY auditing\&.
+.SH "EXAMPLES"
+.PP
+Audit all administrative actions\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+session required pam_tty_audit\&.so disable=* enable=root
+
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.SH "SEE ALSO"
+.PP
+\fBaureport\fR(8),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&.
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
new file mode 100644
index 0000000..1c0ba5c
--- /dev/null
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_tty_audit">
+
+ <refmeta>
+ <refentrytitle>pam_tty_audit</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_tty_audit-name">
+ <refname>pam_tty_audit</refname>
+ <refpurpose>Enable or disable TTY auditing for specified users</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_tty_audit-cmdsynopsis">
+ <command>pam_tty_audit.so</command>
+ <arg choice="opt">
+ disable=<replaceable>patterns</replaceable>
+ </arg>
+ <arg choice="opt">
+ enable=<replaceable>patterns</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_tty_audit-description">
+ <title>DESCRIPTION</title>
+ <para>
+ The pam_tty_audit PAM module is used to enable or disable TTY auditing.
+ By default, the kernel does not audit input on any TTY.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_tty_audit-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>disable=<replaceable>patterns</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ For each user matching <option><replaceable>patterns</replaceable></option>,
+ disable TTY auditing. This overrides any previous <option>enable</option>
+ option matching the same user name on the command line. See NOTES
+ for further description of <option><replaceable>patterns</replaceable></option>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>enable=<replaceable>patterns</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ For each user matching <option><replaceable>patterns</replaceable></option>,
+ enable TTY auditing. This overrides any previous <option>disable</option>
+ option matching the same user name on the command line. See NOTES
+ for further description of <option><replaceable>patterns</replaceable></option>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>open_only</option>
+ </term>
+ <listitem>
+ <para>
+ Set the TTY audit flag when opening the session, but do not restore
+ it when closing the session. Using this option is necessary for
+ some services that don't <function>fork()</function> to run the
+ authenticated session, such as <command>sudo</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_tty_audit-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ Only the <emphasis remap='B'>session</emphasis> type is supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_SESSION_ERR</term>
+ <listitem>
+ <para>
+ Error reading or modifying the TTY audit flag. See the system log
+ for more details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Success.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-notes'>
+ <title>NOTES</title>
+ <para>
+ When TTY auditing is enabled, it is inherited by all processes started by
+ that user. In particular, daemons restarted by a user will still have
+ TTY auditing enabled, and audit TTY input even by other users unless
+ auditing for these users is explicitly disabled. Therefore, it is
+ recommended to use <option>disable=*</option> as the first option for
+ most daemons using PAM.
+ </para>
+ <para>
+ To view the data that was logged by the kernel to audit use
+ the command <command>aureport --tty</command>.
+ </para>
+ <para>
+ The <option><replaceable>patterns</replaceable></option> are comma separated
+ lists of glob patterns or ranges of uids. A range is specified as
+ <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where
+ one of these values can be empty. If <replaceable>min_uid</replaceable> is
+ empty only user with the uid <replaceable>max_uid</replaceable> will be
+ matched. If <replaceable>max_uid</replaceable> is empty users with the uid
+ greater than or equal to <replaceable>min_uid</replaceable> will be
+ matched.
+ </para>
+ <para>
+ Please note that passwords in some circumstances may be logged by TTY auditing
+ even if the <option>log_passwd</option> is not used. For example, all input to
+ an ssh session will be logged - even if there is a password being typed into
+ some software running at the remote host because only the local TTY state
+ affects the local TTY auditing.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ Audit all administrative actions.
+ <programlisting>
+session required pam_tty_audit.so disable=* enable=root
+ </programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_tty_audit was written by Miloslav Trma&ccaron;
+ &lt;mitr@redhat.com&gt;.
+ The log_passwd option was added by Richard Guy Briggs
+ &lt;rgb@redhat.com&gt;.
+ </para>
+ </refsect1>
+
+</refentry>
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-20 04:05:58 +0000