Does pam_tty_audit with enable=* not do what you want?

Trevor


On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
HI
I know this seems an old topic. But unfortunately, I can't find a solution for this. I have googled long time. I tried following options:

1. audit execv syscall,
    this does record every command typed any tty. However, it generates lots of noise.  Sometimes, the execv syscall is so frequently called that the system can't afford to log every call of it and it crashes !!!

2. use pam_tty_audit.so
this makes it possible to record one or two users, not all users.

So, may I ask, is this problem solvable by auditd or do I need other tools ?

Thanks a lot


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit



--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com

-- This account not approved for unencrypted proprietary information --