pam_tty_audit apparently not working

Posted on

pam_tty_audit apparently not working – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, pam, auditd, , .

I just compiled pam_tty_audit module, because my Linux distro doesn’t include it with the usual PAM modules.

I included to the /etc/common-session the configuration line, as suggested in this question. On my /var/log/messages I got a message each time that some sudo, crontab or login is executed:

login[18635]: pam_tty_audit(login:session): changed status from 0 to 1

But when I search for events on the audit daemon log I don’t get anything related to the commands executed on that user session:

sudo /sbin/ausearch -ts today
time->Thu May 30 17:46:52 2013
type=DAEMON_START msg=audit(1369928812.430:3659): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=1010 pid=17873 subj=unconfined  res=success
time->Thu May 30 17:57:01 2013
type=DAEMON_END msg=audit(1369929421.259:3660): auditd normal halt, sending auid=1010 pid=18874 subj= res=success
time->Thu May 30 17:57:01 2013
type=DAEMON_START msg=audit(1369929421.343:6499): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=1010 pid=18891 subj=unconfined  res=success

As you can see above, only daemon start and stop are stored on my audit logs.

Of course, I will move the PAM configuration from common-session to the login and ssh files.

I’m very confused right now because I cannot understand the reason because I cannot get the audit log!

Thanks in advance

Solution :

Ok, it only was a configuration issue. Reading completely the Audit OpenSuse documentation in [1] I was able to enable the Audit daemon to log modifying the variable AUDITD_DISABLE_CONTEXTS to “no” in /etc/sysconfig/auditd


Leave a Reply

Your email address will not be published. Required fields are marked *