Yeah, it's a very good start.
However it seems it still doesn't do what I want.
It seems only changing the 2 files doesn't do the job:
nano /etc/pam.d/system-auth
session required pam_tty_audit.so disable=* enable=logs log_passwd
nano /etc/pam.d/password-auth
session required pam_tty_audit.so disable=* enable=logs log_passwd
I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one.
However unfortunately commands like "history -c" don't still trigger an entry...
Is there still a follow-up idea on this?
Gesendet: Mittwoch, 09. Februar 2022 um 00:20 Uhr
Von: "Richard Guy Briggs" <rgb@redhat.com>
An: "André Letterer" <andre.letterer@web.de>
Cc: Linux-audit@redhat.com
Betreff: Re: How to configure auditd to register like internal bash commands?
On 2022-02-07 23:37, André Letterer wrote:
> Hi folks,
>
> I would like to have some help on configuring auditd for very short
> running commands like
> unset ...
> set ...
> export ...
> history -c
>
> or similar commands.
> How would that be possible?
> Would you mind please to help me on some knowledge about that?
You may want to look into pam_tty_audit, but it may flood your logs.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635