Re: pam_tty_audit doesn't work. Alternatives?

To: debian-user@lists.debian.org
Subject: Re: pam_tty_audit doesn't work. Alternatives?
From: Reco <recoverym4n@gmail.com>
Date: Wed, 14 Dec 2016 17:30:14 +0300
Message-id: <[🔎] 20161214143011.GA18646@e1030>
In-reply-to: <[🔎] CAEf0o1qgCHMRxrx3vTtrYP_vJr+DcDvoLPaLTpzJdR97ZpVmmQ@mail.gmail.com>
References: <[🔎] CAEf0o1qgCHMRxrx3vTtrYP_vJr+DcDvoLPaLTpzJdR97ZpVmmQ@mail.gmail.com>

	Hi.

On Wed, Dec 14, 2016 at 08:53:11AM -0300, info info wrote:
> Hi, setting
> 
> session required pam_tty_audit.so enable=*
> 
> in /etc/pam.d/sshd (or common-session)
> 
> doesn't work due to bug #778664 [1]. How do you do that in Debian?
> Workarounds? Alternatives?

It does not allow tty snooping per se, but it logs all executed commands
by anyone (use '-F euid' to narrow the scope):

auditctl -a exit,always -F arch=b64 -S execve
auditctl -a exit,always -F arch=b32 -S execve

Reco

Reply to:

References:
- pam_tty_audit doesn't work. Alternatives?
  - From: info info <info@threads-srl.com.ar>

Prev by Date: Re: network setup
Next by Date: Re: Package update problem...{***SOLVED***}
Previous by thread: pam_tty_audit doesn't work. Alternatives?
Next by thread: ✅ Xmas gift: 16 Photography software FX...
Index(es):
- Date
- Thread