pam_tty_audit and non privileged users

Posted by Jeff on Server Fault See other posts from Server Fault or by Jeff
Published on 2012-08-31T20:13:59Z Indexed on 2012/08/31 21:39 UTC
Read the original article Hit count: 191

Filed under:

centos

|

pam

|

audit

|

tty

I'm working on a cents 6.3 box and am trying to log all commands executed from a bash shell and came across pam_tty_audit. I've added the appropriate line to my /etc/pam.d/system-auth file: "session required pam_tty_audit.so enable=*"

The problem is that it does not appear to capture commands unless a user is root. For example, if i ssh in as root it logs everything to the audit log, but if I ssh as a regular user it does not start logging anything until after I have su to root.

Any ideas?

© Server Fault or respective owner

Related posts about centos

Problems with repositories on CentOS 3.9

as seen on Super User - Search for 'Super User'
Hello, I have CentOS 3.9 for i386. When I try to instal some thing with yum, i.e: yum install firefox or yum install firefox* or yum list firefox and so on, I get: +++++++++++++++++++ yum info firefox Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 -… >>> More
Problems with repositories on CentOS 3.9

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, I have CentOS 3.9 for i386. When I try to instal some thing with yum, i.e: yum install firefox or yum install firefox* or yum list firefox and so on, I get: +++++++++++++++++++ yum info firefox Gathering header information file(s) from server(s) Server: CentOS-3 - Addons Server: CentOS-3 -… >>> More
centos yum problems

as seen on Server Fault - Search for 'Server Fault'
I am really new to using linux and have just formatted my centos 5.2 vps and am trying to install links by using the command yum install links. But the following error gets displayed: [root@inverses ~]# yum install links Loading "fastestmirror" plugin Loading mirror speeds from cached hostfile *… >>> More
Networking issues with Linux server (CentOS 5.3)

as seen on Server Fault - Search for 'Server Fault'
I have a Linux server hosting our bug tracking software (CentOS 5.2 Kernel 2.6.18-128.4.1.el5) that I have having some strange network problems with. The machine is configured with two NICS, one for the public interface and the other for our server back end network. The problem is that after doing… >>> More
Networking issues with Linux server (CentOS 5.3)

as seen on Server Fault - Search for 'Server Fault'
I have a Linux server hosting our bug tracking software (CentOS 5.2 Kernel 2.6.18-128.4.1.el5) that I have having some strange network problems with. The machine is configured with two NICS, one for the public interface and the other for our server back end network. The problem is that after doing… >>> More

Related posts about pam

Likewise DomainJoin hangs on Finishing krb5.conf configuration

as seen on Server Fault - Search for 'Server Fault'
Hello, I have a problem when joining a CentOS release 5.4 (Final) x64 machine to the domain after running domainjoin-cli --loglevel info --log . join domain.local password I obtain the following, which seems to hang on "20100428112821:INFO:Finishing krb5.conf configuration" 20100428112817:INFO:Domainjoin… >>> More
Using PAM and vsftpd without root access

as seen on Server Fault - Search for 'Server Fault'
I'm trying to set up a few vsftpd instances on a machine that I have no root access to. The authentication should be done through PAM with pam_listfile, like this: pam_listfile.so item=group sense=allow file=/path/filename onerr=fail I can ask the administrator to set up a PAM service for me and… >>> More
Decoding PAM configuration files ...

as seen on Server Fault - Search for 'Server Fault'
Could someone point me to some (recent) documentation that would help me with decoding PAM configuration file lines like this: auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass I'm… >>> More
Requiring SSH-key Login Via PAM From Specific IP Ranges

as seen on Server Fault - Search for 'Server Fault'
I need to be able to access my server (Ubuntu 8.04 LTS) from remote sites, but I'd like to worry a bit less about password complexity. Thus, I'd like to require that SSH keys be used for login instead of name/password. However, I still have a lot to learn about security, and having already badly… >>> More
Suggest methods for testing changes to "pam.d/common-*" files

as seen on Server Fault - Search for 'Server Fault'
How do I test the changes to the pam.d configuration files: Do I need to restart the PAM service to test the changes? Should I go through every service listed in the /etc/pam.d/ directory? I'm about to make changes to the pam.d/common-* files in an effort to put an Ubuntu box into an active… >>> More