← 返回命令列表

Linux command

pam_tty_audit 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Enable TTY auditing

session required pam_tty_audit.so enable=*

Audit specific users

session required pam_tty_audit.so enable=admin,root

Disable for users

session required pam_tty_audit.so disable=service_account

说明

pam_tty_audit is a PAM session module that toggles the per-process TTY input auditing flag (`task->signal->audit_tty`) at session open and restores it on close. When enabled, every keystroke read from a controlling TTY by the affected processes is recorded by the kernel and forwarded to auditd as `TTY` records. It is commonly placed in `/etc/pam.d/system-auth` (or distribution-specific equivalent) as a `session` rule and used to satisfy compliance requirements (PCI-DSS, STIG) that mandate logging of administrative shell activity.

参数

enable=_PATTERN_
Enable TTY auditing for users matching the comma-separated pattern (use `*` for all users).
disable=_PATTERN_
Disable TTY auditing for the matching users; processed alongside `enable=` so order matters.
open_only
Set the audit flag only for the session opening, not for the whole login session.
log_passwd
Also log keystrokes entered while the TTY is in non-echo (password) mode. Disabled by default for privacy.
debug
Log additional information for debugging via `syslog(3)`.

FAQ

What is the pam_tty_audit command used for?

pam_tty_audit is a PAM session module that toggles the per-process TTY input auditing flag (`task->signal->audit_tty`) at session open and restores it on close. When enabled, every keystroke read from a controlling TTY by the affected processes is recorded by the kernel and forwarded to auditd as `TTY` records. It is commonly placed in `/etc/pam.d/system-auth` (or distribution-specific equivalent) as a `session` rule and used to satisfy compliance requirements (PCI-DSS, STIG) that mandate logging of administrative shell activity.

How do I run a basic pam_tty_audit example?

Run `session required pam_tty_audit.so enable=*` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does enable=_PATTERN_ do in pam_tty_audit?

Enable TTY auditing for users matching the comma-separated pattern (use `*` for all users).