On Mon, Dec 9, 2024 at 4:38 AM Molly Miller <[email protected]> wrote: > > Hi there, > > We're currently taking a look at the TTY input logging functionality of the > auditing subsystem and evaluating it for use in our environment, however > there are some parts of this which we don't quite understand, and we've had > difficulty answering our questions purely from reading the kernel sources. > > Primarily, it's not clear to us when the kernel decides to flush the > keystrokes logged from the TTY into an audit log message which can be read by > a userspace process like auditd.
Hi Molly, You likely want to look for tty_audit_push() callers, that should help identify where/how the kernel decides to flush the TTY data. Looking quickly at an upstream kernel I see the following callers: canonical mode (as you mentioned), ioctl(TIOCSTI), and the AUDIT_USER_TTY command/message from userspace. -- paul-moore.com
