0

I am trying to implement pam tty auditing using http://jaredrobinson.com/blog/linux-tty-auditing/ but it is not working for me.

Can some one tell me that any thing else apart from "session required pam_tty_audit.so enable=*" entry in "/etc/pam.d/system-auth" is required to make it work on CentOS 6.4.

To test, I have started a new session with machine. Execute few command and then executed aureport --tty. It should print the command which I have execute but it is not the case i.e

aureport --tty

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
<no events of interest were found>.
haroon_aut
  • 41
  • 1
  • 3
  • possible duplicate of [How do I log every command executed by a user?](http://serverfault.com/questions/336217/how-do-i-log-every-command-executed-by-a-user) – Giovanni Tirloni Sep 29 '14 at 15:11
  • It is not a duplicate of above link. In this link, pam auditing was suggested which I already covered in my question. My issue is that it is not working on CentOS 6.4. – haroon_aut Sep 29 '14 at 15:19
  • 1
    "not working" is too vague. please update the question with relevant information from log files, tests you've done, etc. – Giovanni Tirloni Sep 29 '14 at 15:24
  • I have added the informatin regarding the tests I conducted. Please let me know if anything else is requried. – haroon_aut Sep 29 '14 at 15:31

1 Answers1

0

The issue is resolved. "session required pam_tty_audit.so enable=*" must be the first line in session section to make it work.

haroon_aut
  • 41
  • 1
  • 3