0

I'm trying to put together a TTY logging feature under Ubuntu 18.04 server and created /etc/pam.d/tty-audit with the following content:

session   required   pam_tty_audit.so enable=*

and added that to /etc/pamd.d/common-auth:

@include tty-audit

All I want is to have auditd collected only TTY type of events, but I'm unable to find the proper configuration. The following:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 16384

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

-a always,exit  -F arch=b64 -F msgtype=TTY -S execve -k root-cmd
-a always,exit  -F arch=b32 -F msgtype=TTY -S execve -k root-cmd

Gives me an error when loading rules after auditd is started

msgtype field can only be used with exclude or user filter list

How to configure it so it meets my needs? Seems like it is possible to only exclude certain message types, but I want to include none and only collect the ones I specify in audit.rules.

mc88
  • 3
  • 1
  • 1
    Finally solved the problem. It seems that double include does not work. I originally put audit_tty settings in a separate file that was included in all **common-** files related to session. And those in turn are included in all other defined files in pam.d directory. Simply putting session clause for tty directly in **common-session**, **common-session-noninteractive** (Ubuntu) and **ssh** configuration files solved the problem and keystroke events showed in audit.log. Hope that it helps somebody. – mc88 Dec 11 '20 at 07:58
  • So did it turn out that you didn't need the audit rules including `msgtype=TTY`? I do seem to be getting `pam_tty_audit` turned on, based on journal entries I see, but I am not yet getting auditing of commands. – Ryan Olson Sep 20 '21 at 22:55

0 Answers0