at the reports from aureport and ausearch, the number of TTY
> events is always equal to the number of USER_TTY events. For instance:
> # ausearch -i -m TTY -ts today | wc -l ; ausearch -i -m USER_TTY -ts today
> | wc -l
> 20
> 20
>
> I started wondering, “Are there alway
Good afternoon,
I have TTY auditing set up on a number of hosts using pam_tty_audit for the
root account. I have this line in a PAM file to enable it:
session required pam_tty_audit.so disable=* enable=root
In looking at the reports from aureport and ausearch, the number of TTY events
Hello,
- Robert Daniels robertdaniels2...@gmail.com wrote:
I'm using pam_tty_audit and am collecting specific users, including root.
When logged in as root, the tty events are sent to the plugin in near
real-time.
However, when logged in as a user, the events are cached someplace
I've written an audit plugin to collect statistical data.
I have collected a lot of data over the past few weeks, and the only puzzler
relates to tty data.
I'm using pam_tty_audit and am collecting specific users, including root.
When logged in as root, the tty events are sent to the plugin