Here's a place to start http://linux.die.net/man/8/pam_tty_audit

On 7/26/2016 5:00 AM, Pavithra P wrote: >Hi, > >I am trying to see what commands are typed in my terminal and serial >port. For that I am using auditd daemon which helps me in auditing >files. >I thought of a creating audit rules on /dev/tty and /dev/ttyAMA0 for >seeing whats happening on terminal and serial device respectively > >auditctl -w /dev/tty -p rwx -k terminal >auditctl -w /dev/ttyAMA0 -p rwx -k serialport > >But this records only the echo on tty. I cant audit all the commands >typed on the terminal. I enabled tty logging in the PAM file too by >adding session required pam_tty_audit.so enable=* in /etc/pam.d/sshd >file. >Is there any other way to do this auditing. I want to use auditd >daemon only so that all my auditing log is in one file.