I've written an audit plugin to collect statistical data.
I have collected a lot of data over the past few weeks, and the only puzzler
relates to tty data.
I'm using pam_tty_audit and am collecting specific users, including root.
When logged in as root, the tty events are sent to the plugin in near
real-time.
However, when logged in as a user, the events are cached someplace and are
eventually flushed to the dispatcher/plugin.
The other odd thing is the cached user events are in a single event, and is
a collection of multiple tty commands stored into one chunk of data.
I've looked at the source code but do not see where this caching takes
place.
I'd like to know if there is a setting to disable this caching and send the
events in real time, or at least have a way to break these events up, and
acquire a timestamp that matches when the events took place.
Here is a snippet of one of these 'compound' events:
type=TTY (TTY)
pid=14778 (14778)
uid=501 (robert)
auid=501 (robert)
major=136 (136)
minor=3 (3)
comm="ssh" (ssh)
data=6563687F7F6E76207C2067726...[truncated]
("ech",<backspace>,<backspace>,"nv | grep
SSH",<ret>,"service auditd
stop",<ret>,<up>,<backspace>,<backspace>,"art",<ret>,"su",
ret>,"password",<ret>,"service auditd
stop",<ret>,<up>,<backspace>,
<backspace>,"art",<ret>,"ls",<ret>,"p",<backspace>,"ls",<ret>,"exit",
<ret>,"exit",<ret>)
- Robert
Show replies by date