Re: How to configure auditd to register like internal bash commands?

Yeah, it's a very good start. However it seems it still doesn't do what I want. It seems only changing the 2 files doesn't do the job:           nano /etc/pam.d/system-auth             session    required     pam_tty_audit.so disable=* enable=logs log_passwd           nano /etc/pam.d/password-auth             session    required     pam_tty_audit.so disable=* enable=logs log_passwd I get much more entries in /var/log/audit/audit.log for user logs like for instance if I su to this one. However unfortunately commands like "history -c" don't still trigger an entry...

Is there still a follow-up idea on this? *Gesendet:* Mittwoch, 09. Februar 2022 um 00:20 Uhr *Von:* "Richard Guy Briggs" <rgb(a)redhat.com&gt; *An:* "André Letterer" <andre.letterer(a)web.de&gt; *Cc:* Linux-audit@redhat.com *Betreff:* Re: How to configure auditd to register like internal bash commands? On 2022-02-07 23:37, André Letterer wrote: > Hi folks, > > I would like to have some help on configuring auditd for very short > running commands like > unset ... > set ... > export ... > history -c > > or similar commands. > How would that be possible? > Would you mind please to help me on some knowledge about that? You may want to look into pam_tty_audit, but it may flood your logs. - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit(a)redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit