pam_tty_audit and non privileged users

centos tty pam auditd

I'm working on a cents 6.3 box and am trying to log all commands executed from a bash shell and came across pam_tty_audit. I've added the appropriate line to my /etc/pam.d/system-auth file:

session     required      pam_tty_audit.so enable=*

The problem is that it does not appear to capture commands unless a user is root. For example, if i ssh in as root it logs everything to the audit log, but if I ssh as a regular user it does not start logging anything until after I have su to root.

Any ideas?


Solution 1:

This could be due to a built in protection from the auditing system. Here is a relevant quote from somebody debugging your same situation. It appears as though non-root users are prevented from sending the USER_TTY records. Instead commands will be written out either when bash exits or the collection buffer fills up.

You should be able to find the information you're looking for after the user logs out.

Related

csync2 ERROR: Connection to remote host failed
ksoftirqd hitting 100% on interface with ixgbe driver
Riak "error":"insufficient_vnodes_available"
Unable to resize ec2 ebs root volume
Deployment to thousands of Amazon S3 accounts?
Automatic updating of newer JRE on GNU/Linux
Too many Bind query (cache) denied, DNS attack?
Active Directory DNS SRV records for LDAPS
How to SSH gate forwarding git user to gitserver?
Error connecting ESX 5.0.0 to domain
Configure IIS Web Site for alternate Port and receive Access Permission error
Windows 7 Samba issue