1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
'\" t
.\" Title: pam_tty_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 04/11/2016
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
.TH "PAM_TTY_AUDIT" "8" "04/11/2016" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_tty_audit \- Enable or disable TTY auditing for specified users
.SH "SYNOPSIS"
.HP \w'\fBpam_tty_audit\&.so\fR\ 'u
\fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR]
.SH "DESCRIPTION"
.PP
The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&.
.SH "OPTIONS"
.PP
\fBdisable=\fR\fB\fIpatterns\fR\fR
.RS 4
For each user matching one of comma\-separated glob
\fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous
\fBenable\fR
option matching the same user name on the command line\&.
.RE
.PP
\fBenable=\fR\fB\fIpatterns\fR\fR
.RS 4
For each user matching one of comma\-separated glob
\fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous
\fBdisable\fR
option matching the same user name on the command line\&.
.RE
.PP
\fBopen_only\fR
.RS 4
Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\*(Aqt
\fBfork()\fR
to run the authenticated session, such as
\fBsudo\fR\&.
.RE
.PP
\fBlog_passwd\fR
.RS 4
Log keystrokes when ECHO mode is off but ICANON mode is active\&. This is the mode in which the tty is placed during password entry\&. By default, passwords are not logged\&. This option may not be available on older kernels (3\&.9?)\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
\fBsession\fR
type is supported\&.
.SH "RETURN VALUES"
.PP
PAM_SESSION_ERR
.RS 4
Error reading or modifying the TTY audit flag\&. See the system log for more details\&.
.RE
.PP
PAM_SUCCESS
.RS 4
Success\&.
.RE
.SH "NOTES"
.PP
When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use
\fBdisable=*\fR
as the first option for most daemons using PAM\&.
.PP
To view the data that was logged by the kernel to audit use the command
\fBaureport \-\-tty\fR\&.
.SH "EXAMPLES"
.PP
Audit all administrative actions\&.
.sp
.if n \{\
.RS 4
.\}
.nf
session required pam_tty_audit\&.so disable=* enable=root
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBaureport\fR(8),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&. The log_passwd option was added by Richard Guy Briggs <rgb@redhat\&.com>\&.
|
