summaryrefslogtreecommitdiff
path: root/modules/pam_tty_audit/README
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_tty_audit/README')
-rw-r--r--modules/pam_tty_audit/README59
1 files changed, 59 insertions, 0 deletions
diff --git a/modules/pam_tty_audit/README b/modules/pam_tty_audit/README
new file mode 100644
index 00000000..dd18da72
--- /dev/null
+++ b/modules/pam_tty_audit/README
@@ -0,0 +1,59 @@
+pam_tty_audit — Enable or disable TTY auditing for specified users
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_tty_audit PAM module is used to enable or disable TTY auditing. By
+default, the kernel does not audit input on any TTY.
+
+OPTIONS
+
+disable=patterns
+
+ For each user matching one of comma-separated glob patterns, disable TTY
+ auditing. This overrides any previous enable option matching the same user
+ name on the command line.
+
+enable=patterns
+
+ For each user matching one of comma-separated glob patterns, enable TTY
+ auditing. This overrides any previous disable option matching the same user
+ name on the command line.
+
+open_only
+
+ Set the TTY audit flag when opening the session, but do not restore it when
+ closing the session. Using this option is necessary for some services that
+ don't fork() to run the authenticated session, such as sudo.
+
+log_passwd
+
+ Log keystrokes when ECHO mode is off but ICANON mode is active. This is the
+ mode in which the tty is placed during password entry. By default,
+ passwords are not logged. This option may not be available on older kernels
+ (3.9?).
+
+NOTES
+
+When TTY auditing is enabled, it is inherited by all processes started by that
+user. In particular, daemons restarted by an user will still have TTY auditing
+enabled, and audit TTY input even by other users unless auditing for these
+users is explicitly disabled. Therefore, it is recommended to use disable=* as
+the first option for most daemons using PAM.
+
+To view the data that was logged by the kernel to audit use the command
+aureport --tty.
+
+EXAMPLES
+
+Audit all administrative actions.
+
+session required pam_tty_audit.so disable=* enable=root
+
+
+AUTHOR
+
+pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. The log_passwd
+option was added by Richard Guy Briggs <rgb@redhat.com>.
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 07:17:02 +0000