'\" t
.\" Title: pam_tty_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2
.\" Date: 11/04/2009
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
.TH "PAM_TTY_AUDIT" "8" "11/04/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_tty_audit \- Enable or disable TTY auditing for specified users
.SH "SYNOPSIS"
.HP \w'\fBpam_tty_audit\&.so\fR\ 'u
\fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR]
.SH "DESCRIPTION"
.PP
The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&.
.SH "OPTIONS"
.PP
\fBdisable=\fR\fB\fIpatterns\fR\fR
.RS 4
For each user matching one of comma\-separated glob
\fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous
\fBenable\fR
option matching the same user name on the command line\&.
.RE
.PP
\fBenable=\fR\fB\fIpatterns\fR\fR
.RS 4
For each user matching one of comma\-separated glob
\fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous
\fBdisable\fR
option matching the same user name on the command line\&.
.RE
.PP
\fBopen_only\fR
.RS 4
Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\'t
\fBfork()\fR
to run the authenticated session, such as
\fBsudo\fR\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
\fBsession\fR
type is supported\&.
.SH "RETURN VALUES"
.PP
PAM_SESSION_ERR
.RS 4
Error reading or modifying the TTY audit flag\&. See the system log for more details\&.
.RE
.PP
PAM_SUCCESS
.RS 4
Success\&.
.RE
.SH "NOTES"
.PP
When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use
\fBdisable=*\fR
as the first option for most daemons using PAM\&.
.PP
To view the data that was logged by the kernel to audit use the command
\fBaureport \-\-tty\fR\&.
.SH "EXAMPLES"
.PP
Audit all administrative actions\&.
.sp
.if n \{\
.RS 4
.\}
.nf
session required pam_tty_audit\&.so disable=* enable=root
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBaureport\fR(8),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
pam_tty_audit was written by Miloslav Trmač \&.