1 files changed, 51 insertions, 0 deletions

diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README
new file mode 100644
index 00000000..f769f533
--- /dev/null
+++ b/modules/pam_tty_audit/README
@@ -0,0 +1,51 @@
+pam_tty_audit — Enable or disable TTY auditing for specified users
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_tty_audit PAM module is used to enable or disable TTY auditing. By
+default, the kernel does not audit input on any TTY.
+
+OPTIONS
+
+disable=patterns
+
+    For each user matching one of comma-separated glob patterns, disable TTY
+    auditing. This overrides any previous enable option matching the same user
+    name on the command line.
+
+enable=patterns
+
+    For each user matching one of comma-separated glob patterns, enable TTY
+    auditing. This overrides any previous disable option matching the same user
+    name on the command line.
+
+open_only
+
+    Set the TTY audit flag when opening the session, but do not restore it when
+    closing the session. Using this option is necessary for some services that
+    don't fork() to run the authenticated session, such as sudo.
+
+NOTES
+
+When TTY auditing is enabled, it is inherited by all processes started by that
+user. In particular, daemons restarted by an user will still have TTY auditing
+enabled, and audit TTY input even by other users unless auditing for these
+users is explicitly disabled. Therefore, it is recommended to use disable=* as
+the first option for most daemons using PAM.
+
+To view the data that was logged by the kernel to audit use the command
+aureport --tty.
+
+EXAMPLES
+
+Audit all administrative actions.
+
+session required pam_tty_audit.so disable=* enable=root
+
+
+AUTHOR
+
+pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>.
+