PAM tty auditing on CentOS 6.4

Question

I am trying to implement pam tty auditing using http://jaredrobinson.com/blog/linux-tty-auditing/ but it is not working for me.

Can some one tell me that any thing else apart from "session required pam_tty_audit.so enable=*" entry in "/etc/pam.d/system-auth" is required to make it work on CentOS 6.4.

To test, I have started a new session with machine. Execute few command and then executed aureport --tty. It should print the command which I have execute but it is not the case i.e

aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>.

possible duplicate of [How do I log every command executed by a user?](http://serverfault.com/questions/336217/how-do-i-log-every-command-executed-by-a-user) — Giovanni Tirloni, Sep 29 '14 at 15:11
It is not a duplicate of above link. In this link, pam auditing was suggested which I already covered in my question. My issue is that it is not working on CentOS 6.4. — haroon_aut, Sep 29 '14 at 15:19
"not working" is too vague. please update the question with relevant information from log files, tests you've done, etc. — Giovanni Tirloni, Sep 29 '14 at 15:24
I have added the informatin regarding the tests I conducted. Please let me know if anything else is requried. — haroon_aut, Sep 29 '14 at 15:31

score 0 · Answer 1 · answered Oct 01 '14 at 14:14

0

The issue is resolved. "session required pam_tty_audit.so enable=*" must be the first line in session section to make it work.

answered Oct 01 '14 at 14:14

haroon_aut

41
1
3

PAM tty auditing on CentOS 6.4

1 Answers1