On 2/8/2022 4:24 PM, André Letterer wrote:
Yeah, it's a very good start. However it seems it still doesn't do what I want. It seems only changing the 2 files doesn't do the job: nano /etc/pam.d/system-auth session required pam_tty_audit.so disable=* enable=logs log_passwd nano /etc/pam.d/password-auth session required pam_tty_audit.so disable=* enable=logs log_passwd I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. However unfortunately commands like "history -c" don't still trigger an entry...
There are a significant number of commands that are shell built-ins, including "history".
Is there still a follow-up idea on this? *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr *Von:* "Richard Guy Briggs" <[email protected]> *An:* "André Letterer" <[email protected]> *Cc:* [email protected] *Betreff:* Re: How to configure auditd to register like internal bash commands? On 2022-02-07 23:37, André Letterer wrote: > Hi folks, > > I would like to have some help on configuring auditd for very short > running commands like > unset ... > set ... > export ... > history -c > > or similar commands. > How would that be possible? > Would you mind please to help me on some knowledge about that? You may want to look into pam_tty_audit, but it may flood your logs. - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
-- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
