summaryrefslogtreecommitdiff
path: root/modules/pam_tty_audit/pam_tty_audit.8.xml
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2008-01-29 15:09:29 +0000
committerTomas Mraz <tm@t8m.info>2008-01-29 15:09:29 +0000
commit7ac2dea8a4726532f775479a44fc4c80404980e2 (patch)
tree59729130b960a95673d75f9a5a0172e80ff19af5 /modules/pam_tty_audit/pam_tty_audit.8.xml
parent93852756cbb7f5f003c8ef82d306255ba99200f1 (diff)
Relevant BUGIDs:
Purpose of commit: new feature Commit summary: --------------- 2008-01-29 Miloslav Trmac <mitr@redhat.com> * modules/pam_tty_audit/README.xml: Add notes section. * modules/pam_tty_audit/pam_tty_audit.8.xml: Describe patterns support and open_only option. Add notes. * modules/pam_tty_audit/pam_tty_audit.c(pam_sm_open_session): Add support for pattern matching and the open_only option.
Diffstat (limited to 'modules/pam_tty_audit/pam_tty_audit.8.xml')
-rw-r--r--modules/pam_tty_audit/pam_tty_audit.8.xml47
1 files changed, 36 insertions, 11 deletions
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index f65762ad..f6f0602f 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -19,10 +19,10 @@
<cmdsynopsis id="pam_tty_audit-cmdsynopsis">
<command>pam_tty_audit.so</command>
<arg choice="opt">
- disable=<replaceable>usernames</replaceable>
+ disable=<replaceable>patterns</replaceable>
</arg>
<arg choice="opt">
- enable=<replaceable>usernames</replaceable>
+ enable=<replaceable>patterns</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -40,27 +40,40 @@
<variablelist>
<varlistentry>
<term>
- <option>disable=<replaceable>usernames</replaceable></option>
+ <option>disable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
- For each user matching one of comma-separated
- <option><replaceable>usernames</replaceable></option>, disable
+ For each user matching one of comma-separated glob
+ <option><replaceable>patterns</replaceable></option>, disable
TTY auditing. This overrides any previous <option>enable</option>
- option for the same user name on the command line.
+ option matchin the same user name on the command line.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
- <option>enable=<replaceable>usernames</replaceable></option>
+ <option>enable=<replaceable>patterns</replaceable></option>
</term>
<listitem>
<para>
- For each user matching one of comma-separated
- <option><replaceable>usernames</replaceable></option>, enable
+ For each user matching one of comma-separated glob
+ <option><replaceable>patterns</replaceable></option>, enable
TTY auditing. This overrides any previous <option>disable</option>
- option for the same user name on the command line.
+ option matching the same user name on the command line.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>open_only</option>
+ </term>
+ <listitem>
+ <para>
+ Set the TTY audit flag when opening the session, but do not restore
+ it when closing the session. Using this option is necessary for
+ some services that don't <function>fork()</function> to run the
+ authenticated session, such as <command>sudo</command>.
</para>
</listitem>
</varlistentry>
@@ -99,12 +112,24 @@
</variablelist>
</refsect1>
+ <refsect1 id='pam_tty_audit-notes'>
+ <title>NOTES</title>
+ <para>
+ When TTY auditing is enabled, it is inherited by all processes started by
+ that user. In particular, daemons restarted by an user will still have
+ TTY auditing enabled, and audit TTY input even by other users unless
+ auditing for these users is explicitly disabled. Therefore, it is
+ recommended to use <option>disable=*</option> as the first option for
+ most daemons using PAM.
+ </para>
+ </refsect1>
+
<refsect1 id='pam_tty_audit-examples'>
<title>EXAMPLES</title>
<para>
Audit all administrative actions.
<programlisting>
-session required pam_tty_audit.so enable=root
+session required pam_tty_audit.so disable=* enable=root
</programlisting>
</para>
</refsect1>