I would like to audit specifically interactive actions taken from the console ttys (ttyS0,ttyS1,tty-1-6) and I've just discovered the /bin/login we use here was compiled without PAM libs. So I guess I will not be able to get auid nor TTY auditing...
By the way is there any way/future way to filter on TTY (at least just for syscalls where the tty= appears in) using auditctl -F option ? It seems -F includes a lot of objects but not tty ?
Regards
JF
-----Message d'origine-----
De : Steve Grubb [mailto:sgrubb@redhat.com]
Envoyé : jeudi 3 juin 2010 16:30
À : linux-audit@redhat.com
Cc : Jean-Francois Vincent
Objet : Re: audit 2.0.4 auid problem
On Thursday, June 03, 2010 09:55:35 am Jean-Francois Vincent wrote:
> 1 ) Is there any bug with auid always set to 4294967295 ?
You need pam_loginuid added to crond, gdm, login, kdm, sshd, vsftpd, or any
pamified entry point daemon. (but not sudo or su.)
> 2) I've also searched for logging commands specifics to a TTY but it
seems
> auditd cannot filter on one specific TTY. I've looking for auditctl -F
> options but I don't see any TTY filtering option. Is it possible ?
Look for pam_tty_audit man page.
-Steve