Re: how to use auditd to record all user command history

On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote: > This is correct. The problem is, this records every keystrokes and even > the password of the users. While I only care about the user command > history, I surely do not want to know their passwords. There is now support in the upstream kernel (3.10-rc1) and in pam (1.1.8+) to not record passwords by default. If you want the old behaviour, add the optional argument to pam_tty_audit: "log_passwd" > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaughan(a)onyxpoint.com >wrote: > > Does pam_tty_audit with enable=* not do what you want? > > > > Trevor > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu(a)gmail.com&gt; wrote: > > > >> HI > >> I know this seems an old topic. But unfortunately, I can't find a > >> solution for this. I have googled long time. I tried following options: > >> > >> 1. audit execv syscall, > >> this does record every command typed any tty. However, it generates > >> lots of noise. Sometimes, the execv syscall is so frequently called that > >> the system can't afford to log every call of it and it crashes !!! > >> > >> 2. use *pam_tty_audit.so > >> * > >> this makes it possible to record one or two users, not all users. * > >> * > >> So, may I ask, is this problem solvable by auditd or do I need other > >> tools ?* > >> > >> * > >> *Thanks a lot > > > > Trevor Vaughan - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com&gt; Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: +1.647.777.2635 Internal: (81) 32635 Alt: +1.613.693.0684x3545