Greetings I am looking into using auditd to capture tty logging for all users and I am having some trouble. Capturing keystrokes is a requirement from our security team that I am not wild about, but for various reasons it is what is. We already push all the log data into Splunk so I am not that concerned with managing the data flow.
We are using snoopy and it works ok, but increasingly we are seeing issues with how it loads its kernel module on bootup so I am looking for something better. Auditd would be a good option since we use it already and could expand its usage and eliminate a tool. I added the suggested line to capture tty logs to system-auth in pam.d "session required pam_tty_audit.so enable=*" restarted auditd I can see the tty logs from the root user fine, but any other users are not working as expected. When I do see commands from non root users the log message is a dump of all the commands run during the session instead of cleanly separated events for each command. Is that expected? I also added syscall rules for execve which work ok but not as good as the keystroke logging for the root user. Any idea what is wrong? Is this expected behavior? Any suggestions for a better method to achieve the requirement? Thanks Ed -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
