1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
'\" t
.\" Title: pam_tty_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\" Date: 11/04/2009
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
.TH "PAM_TTY_AUDIT" "8" "11/04/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_tty_audit \- Enable or disable TTY auditing for specified users
.SH "SYNOPSIS"
.HP \w'\fBpam_tty_audit\&.so\fR\ 'u
\fBpam_tty_audit\&.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR]
.SH "DESCRIPTION"
.PP
The pam_tty_audit PAM module is used to enable or disable TTY auditing\&. By default, the kernel does not audit input on any TTY\&.
.SH "OPTIONS"
.PP
\fBdisable=\fR\fB\fIpatterns\fR\fR
.RS 4
For each user matching one of comma\-separated glob
\fB\fIpatterns\fR\fR, disable TTY auditing\&. This overrides any previous
\fBenable\fR
option matching the same user name on the command line\&.
.RE
.PP
\fBenable=\fR\fB\fIpatterns\fR\fR
.RS 4
For each user matching one of comma\-separated glob
\fB\fIpatterns\fR\fR, enable TTY auditing\&. This overrides any previous
\fBdisable\fR
option matching the same user name on the command line\&.
.RE
.PP
\fBopen_only\fR
.RS 4
Set the TTY audit flag when opening the session, but do not restore it when closing the session\&. Using this option is necessary for some services that don\'t
\fBfork()\fR
to run the authenticated session, such as
\fBsudo\fR\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
Only the
\fBsession\fR
type is supported\&.
.SH "RETURN VALUES"
.PP
PAM_SESSION_ERR
.RS 4
Error reading or modifying the TTY audit flag\&. See the system log for more details\&.
.RE
.PP
PAM_SUCCESS
.RS 4
Success\&.
.RE
.SH "NOTES"
.PP
When TTY auditing is enabled, it is inherited by all processes started by that user\&. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\&. Therefore, it is recommended to use
\fBdisable=*\fR
as the first option for most daemons using PAM\&.
.PP
To view the data that was logged by the kernel to audit use the command
\fBaureport \-\-tty\fR\&.
.SH "EXAMPLES"
.PP
Audit all administrative actions\&.
.sp
.if n \{\
.RS 4
.\}
.nf
session required pam_tty_audit\&.so disable=* enable=root
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBaureport\fR(8),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
pam_tty_audit was written by Miloslav Trmač <mitr@redhat\&.com>\&.
|
