Hello, On Tuesday, November 14, 2017 8:29:34 AM EST Maupertuis Philippe wrote: > The auditd rules for PCI reads : > ## 10.2.2 Log administrative action. To meet this, you need to enable tty > ## logging. The pam config below should be placed into su and sudo pam > stacks. ## session required pam_tty_audit.so disable=* enable=root > > I have noticed that nothing happened unless I add in /etc/pam.d/sshd > session required pam_tty_audit.so enable=*
If I understand, you deleted the 'disable=*' and replaced 'root' with '*'. That would be unusual. The command line is processed from left to right. So, what should happen in the original rule is disable auditing of all users, then enable auditing of only root. PCI wants administrative actions which would only be the root user. > At which point I get > > Should it be done that way ? > Did I miss something ? It works for me as specified in the PCI rules. (Tested using su.) Note that the kernel caches the keystrokes and you do not get a 1x1 mapping of events to commands entered. You will likely get multiple commands all strung together. It only creates the event when either it fills the buffer or the user ends the privileged session. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
