modules/pam_tty_audit/pam_tty_audit.8.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_tty_audit">

  <refmeta>
    <refentrytitle>pam_tty_audit</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo class="source">Linux-PAM</refmiscinfo>
    <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv xml:id="pam_tty_audit-name">
    <refname>pam_tty_audit</refname>
    <refpurpose>Enable or disable TTY auditing for specified users</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis xml:id="pam_tty_audit-cmdsynopsis" sepchar=" ">
      <command>pam_tty_audit.so</command>
      <arg choice="opt" rep="norepeat">
	disable=<replaceable>patterns</replaceable>
      </arg>
      <arg choice="opt" rep="norepeat">
	enable=<replaceable>patterns</replaceable>
      </arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1 xml:id="pam_tty_audit-description">
    <title>DESCRIPTION</title>
    <para>
      The pam_tty_audit PAM module is used to enable or disable TTY auditing.
      By default, the kernel does not audit input on any TTY.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-options">
    <title>OPTIONS</title>
    <variablelist>
      <varlistentry>
        <term>
          disable=patterns
        </term>
        <listitem>
          <para>
	    For each user matching <option><replaceable>patterns</replaceable></option>,
	    disable TTY auditing.  This overrides any previous <option>enable</option>
	    option matching the same user name on the command line. See NOTES
	    for further description of <option><replaceable>patterns</replaceable></option>.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          enable=patterns
        </term>
        <listitem>
          <para>
	    For each user matching <option><replaceable>patterns</replaceable></option>,
	    enable TTY auditing.  This overrides any previous <option>disable</option>
	    option matching the same user name on the command line. See NOTES
	    for further description of <option><replaceable>patterns</replaceable></option>.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          open_only
        </term>
        <listitem>
          <para>
           Set the TTY audit flag when opening the session, but do not restore
           it when closing the session.  Using this option is necessary for
           some services that don't <function>fork()</function> to run the
           authenticated session, such as <command>sudo</command>.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>
          log_passwd
        </term>
        <listitem>
          <para>
	   Log keystrokes when ECHO mode is off but ICANON mode is active.
	   This is the mode in which the tty is placed during password entry.
	   By default, passwords are not logged.  This option may not be
	   available on older kernels (3.9?).
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-types">
    <title>MODULE TYPES PROVIDED</title>
    <para>
      Only the <emphasis remap="B">session</emphasis> type is supported.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-return_values">
    <title>RETURN VALUES</title>
    <variablelist>
      <varlistentry>
        <term>PAM_SESSION_ERR</term>
        <listitem>
           <para>
	     Error reading or modifying the TTY audit flag.  See the system log
	     for more details.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_SUCCESS</term>
        <listitem>
          <para>
            Success.
          </para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-notes">
    <title>NOTES</title>
    <para>
      When TTY auditing is enabled, it is inherited by all processes started by
      that user.  In particular, daemons restarted by a user will still have
      TTY auditing enabled, and audit TTY input even by other users unless
      auditing for these users is explicitly disabled.  Therefore, it is
      recommended to use <option>disable=*</option> as the first option for
      most daemons using PAM.
    </para>
    <para>
      To view the data that was logged by the kernel to audit use
      the command <command>aureport --tty</command>.
    </para>
    <para>
      The <option><replaceable>patterns</replaceable></option> are comma separated
      lists of glob patterns or ranges of uids. A range is specified as
      <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where
      one of these values can be empty. If <replaceable>min_uid</replaceable> is
      empty only user with the uid <replaceable>max_uid</replaceable> will be
      matched. If <replaceable>max_uid</replaceable> is empty users with the uid
      greater than or equal to <replaceable>min_uid</replaceable> will be
      matched.
    </para>
    <para>
      Please note that passwords in some circumstances may be logged by TTY auditing
      even if the <option>log_passwd</option> is not used. For example, all input to
      an ssh session will be logged - even if there is a password being typed into
      some software running at the remote host because only the local TTY state
      affects the local TTY auditing.
    </para>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-examples">
    <title>EXAMPLES</title>
    <para>
      Audit all administrative actions.
      <programlisting>
session	required pam_tty_audit.so disable=* enable=root
      </programlisting>
    </para>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-see_also">
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
	<refentrytitle>aureport</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum>
      </citerefentry>
    </para>
  </refsect1>

  <refsect1 xml:id="pam_tty_audit-author">
    <title>AUTHOR</title>
      <para>
        pam_tty_audit was written by Miloslav Trmač
	&lt;mitr@redhat.com&gt;.
        The log_passwd option was added by Richard Guy Briggs
        &lt;rgb@redhat.com&gt;.
      </para>
  </refsect1>

</refentry>