Hello,
----- "Robert Daniels" <robertdaniels2009(a)gmail.com> wrote:
I'm using pam_tty_audit and am collecting specific users,
including root.
When logged in as root, the tty events are sent to the plugin in near real-time.
However, when logged in as a user, the events are cached someplace and are eventually
flushed to the dispatcher/plugin.
The other odd thing is the cached user events are in a single event, and is a collection
of multiple tty commands stored into one chunk of data.
I've looked at the source code but do not see where this caching takes place.
For "raw mode" TTYs (e.g. the bash command-line editing environment, vi),
newline is not a reliable "command" indicator, so the keystrokes are queued
until the buffer (which is 4096 bytes) is full.
Programs that accept something like "commands" should send USER_TTY records
whenever a "command" is entered; this also flushes the buffer, creating the TTY
record containing keystrokes to that point. If I remember correctly, this is implemented
for bash and programs that use the readline library.
The problem is that only programs running as root are allowed to send audit records from
user-space, so the USER_TTY records sent from unprivileged programs are ignored and do not
flush the buffer.
I'd like to know if there is a setting to disable this caching
and send the events in real time, or at least have a way to break these events up, and
acquire a timestamp that matches when the events took place.
I'm afraid there
isn't currently a practical way to do this. (bash --noediting) does not use the raw
mode, but I'd hardly consider that practical.
Mirek