5

I'm working on a cents 6.3 box and am trying to log all commands executed from a bash shell and came across pam_tty_audit. I've added the appropriate line to my /etc/pam.d/system-auth file:

session     required      pam_tty_audit.so enable=*

The problem is that it does not appear to capture commands unless a user is root. For example, if i ssh in as root it logs everything to the audit log, but if I ssh as a regular user it does not start logging anything until after I have su to root.

Any ideas?

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
Jeff
  • 51
  • 2

1 Answers1

1

This could be due to a built in protection from the auditing system. Here is a relevant quote from somebody debugging your same situation. It appears as though non-root users are prevented from sending the USER_TTY records. Instead commands will be written out either when bash exits or the collection buffer fills up.

You should be able to find the information you're looking for after the user logs out.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83