pam_tty_audit apparently not working – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.
But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, pam, auditd, , .
I just compiled pam_tty_audit module, because my Linux distro doesn’t include it with the usual PAM modules.
I included to the
/etc/common-session the configuration line, as suggested in this question. On my /var/log/messages I got a message each time that some
sudo, crontab or login is executed:
login: pam_tty_audit(login:session): changed status from 0 to 1
But when I search for events on the audit daemon log I don’t get anything related to the commands executed on that user session:
sudo /sbin/ausearch -ts today ---- time->Thu May 30 17:46:52 2013 type=DAEMON_START msg=audit(1369928812.430:3659): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=1010 pid=17873 subj=unconfined res=success ---- time->Thu May 30 17:57:01 2013 type=DAEMON_END msg=audit(1369929421.259:3660): auditd normal halt, sending auid=1010 pid=18874 subj= res=success ---- time->Thu May 30 17:57:01 2013 type=DAEMON_START msg=audit(1369929421.343:6499): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=1010 pid=18891 subj=unconfined res=success
As you can see above, only daemon start and stop are stored on my audit logs.
Of course, I will move the PAM configuration from common-session to the
I’m very confused right now because I cannot understand the reason because I cannot get the audit log!
Thanks in advance
Ok, it only was a configuration issue. Reading completely the Audit OpenSuse documentation in  I was able to enable the Audit daemon to log modifying the variable
AUDITD_DISABLE_CONTEXTS to “no” in