pam_tty_audit apparently not working

Question

I just compiled pam_tty_audit module, because my Linux distro doesn't include it with the usual PAM modules.

I included to the /etc/common-session the configuration line, as suggested in this question. On my /var/log/messages I got a message each time that some sudo, crontab or login is executed:

login[18635]: pam_tty_audit(login:session): changed status from 0 to 1

But when I search for events on the audit daemon log I don't get anything related to the commands executed on that user session:

sudo /sbin/ausearch -ts today
----
time->Thu May 30 17:46:52 2013
type=DAEMON_START msg=audit(1369928812.430:3659): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=1010 pid=17873 subj=unconfined  res=success
----
time->Thu May 30 17:57:01 2013
type=DAEMON_END msg=audit(1369929421.259:3660): auditd normal halt, sending auid=1010 pid=18874 subj= res=success
----
time->Thu May 30 17:57:01 2013
type=DAEMON_START msg=audit(1369929421.343:6499): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=1010 pid=18891 subj=unconfined  res=success

As you can see above, only daemon start and stop are stored on my audit logs.

Of course, I will move the PAM configuration from common-session to the login and ssh files.

I'm very confused right now because I cannot understand the reason because I cannot get the audit log!

Thanks in advance

I tried both Suse and Debian. @dawud which version do you mean? PAM packages? on Suse, PAM 1.1.5 and Debian 1.1.3-9. Audit, Suse 1.7.7 Debian 1.7.18 — JoseLSegura, Jun 03 '13 at 06:04

score 1 · Answer 1 · answered Jul 09 '13 at 11:14

Ok, it only was a configuration issue. Reading completely the Audit OpenSuse documentation in [1] I was able to enable the Audit daemon to log modifying the variable AUDITD_DISABLE_CONTEXTS to "no" in /etc/sysconfig/auditd

[1] http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/part.audit.html

pam_tty_audit apparently not working

1 Answers1