From 9ada0093e92388590c7368600ca4e9e3e376f0d0 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:22:51 +0200 Subject: Adding upstream version 1.5.2. Signed-off-by: Daniel Baumann --- modules/pam_tty_audit/pam_tty_audit.8.xml | 199 ++++++++++++++++++++++++++++++ 1 file changed, 199 insertions(+) create mode 100644 modules/pam_tty_audit/pam_tty_audit.8.xml (limited to 'modules/pam_tty_audit/pam_tty_audit.8.xml') diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml new file mode 100644 index 0000000..1c0ba5c --- /dev/null +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -0,0 +1,199 @@ + + + + + + + pam_tty_audit + 8 + Linux-PAM Manual + + + + pam_tty_audit + Enable or disable TTY auditing for specified users + + + + + pam_tty_audit.so + + disable=patterns + + + enable=patterns + + + + + + DESCRIPTION + + The pam_tty_audit PAM module is used to enable or disable TTY auditing. + By default, the kernel does not audit input on any TTY. + + + + + OPTIONS + + + + + + + + For each user matching , + disable TTY auditing. This overrides any previous + option matching the same user name on the command line. See NOTES + for further description of . + + + + + + + + + + For each user matching , + enable TTY auditing. This overrides any previous + option matching the same user name on the command line. See NOTES + for further description of . + + + + + + + + + + Set the TTY audit flag when opening the session, but do not restore + it when closing the session. Using this option is necessary for + some services that don't fork() to run the + authenticated session, such as sudo. + + + + + + + + + + Log keystrokes when ECHO mode is off but ICANON mode is active. + This is the mode in which the tty is placed during password entry. + By default, passwords are not logged. This option may not be + available on older kernels (3.9?). + + + + + + + + MODULE TYPES PROVIDED + + Only the session type is supported. + + + + + RETURN VALUES + + + PAM_SESSION_ERR + + + Error reading or modifying the TTY audit flag. See the system log + for more details. + + + + + + PAM_SUCCESS + + + Success. + + + + + + + + + NOTES + + When TTY auditing is enabled, it is inherited by all processes started by + that user. In particular, daemons restarted by a user will still have + TTY auditing enabled, and audit TTY input even by other users unless + auditing for these users is explicitly disabled. Therefore, it is + recommended to use as the first option for + most daemons using PAM. + + + To view the data that was logged by the kernel to audit use + the command aureport --tty. + + + The are comma separated + lists of glob patterns or ranges of uids. A range is specified as + min_uid:max_uid where + one of these values can be empty. If min_uid is + empty only user with the uid max_uid will be + matched. If max_uid is empty users with the uid + greater than or equal to min_uid will be + matched. + + + Please note that passwords in some circumstances may be logged by TTY auditing + even if the is not used. For example, all input to + an ssh session will be logged - even if there is a password being typed into + some software running at the remote host because only the local TTY state + affects the local TTY auditing. + + + + + EXAMPLES + + Audit all administrative actions. + +session required pam_tty_audit.so disable=* enable=root + + + + + + SEE ALSO + + + aureport8 + , + + pam.conf5 + , + + pam.d5 + , + + pam8 + + + + + + AUTHOR + + pam_tty_audit was written by Miloslav Trmač + <mitr@redhat.com>. + The log_passwd option was added by Richard Guy Briggs + <rgb@redhat.com>. + + + + -- cgit v1.2.3