Discussion:
Audit filter by TTY
John Bambenek
2013-04-26 15:07:56 UTC
Permalink
I was playing around and wanted to know if there is plans to allow audit rule filters by TTY, or specifically filter when tty != (none) (i.e. interactive login events).
Steve Grubb
2013-04-26 16:56:29 UTC
Permalink
Post by John Bambenek
I was playing around and wanted to know if there is plans to allow audit
rule filters by TTY, or specifically filter when tty != (none) (i.e.
interactive login events).
You can use the pam_tty_audit module to do that. There are no plans to
configure this by auditctl.

-Steve
John Bambenek
2013-04-26 17:03:17 UTC
Permalink
I would prefer a solution besides a keylogger that, among other things, happily captures passwords and stores them in the clear in logs.
Post by Steve Grubb
Post by John Bambenek
I was playing around and wanted to know if there is plans to allow audit
rule filters by TTY, or specifically filter when tty != (none) (i.e.
interactive login events).
You can use the pam_tty_audit module to do that. There are no plans to
configure this by auditctl.
-Steve
Steve Grubb
2013-04-26 17:14:13 UTC
Permalink
Post by John Bambenek
I would prefer a solution besides a keylogger that, among other things,
happily captures passwords and stores them in the clear in logs.
That is being worked on:
https://www.redhat.com/archives/linux-audit/2013-March/msg00050.html

The patch still isn't ready, but it will be configured by pam_tty_audit.

-Steve
Post by John Bambenek
Post by Steve Grubb
Post by John Bambenek
I was playing around and wanted to know if there is plans to allow audit
rule filters by TTY, or specifically filter when tty != (none) (i.e.
interactive login events).
You can use the pam_tty_audit module to do that. There are no plans to
configure this by auditctl.
-Steve
John Bambenek
2013-04-26 17:27:32 UTC
Permalink
Even better. Thanks.
Post by Steve Grubb
Post by John Bambenek
I would prefer a solution besides a keylogger that, among other things,
happily captures passwords and stores them in the clear in logs.
https://www.redhat.com/archives/linux-audit/2013-March/msg00050.html
The patch still isn't ready, but it will be configured by pam_tty_audit.
-Steve
Post by John Bambenek
Post by Steve Grubb
Post by John Bambenek
I was playing around and wanted to know if there is plans to allow audit
rule filters by TTY, or specifically filter when tty != (none) (i.e.
interactive login events).
You can use the pam_tty_audit module to do that. There are no plans to
configure this by auditctl.
-Steve
Loading...