pam_tty_audit

Add to PAM service files (e.g., /etc/pam.d/sshd):
session required pam_tty_audit.so [options]

enable
    Explicitly enables TTY auditing for the session. This is often the default behavior if the module is active in the PAM configuration.

disable
    Explicitly disables TTY auditing for the session, overriding any global or default settings that might otherwise enable it.

log_dir=path
    Specifies an alternative directory where audit logs will be stored. The default location varies by system, but often defaults to /var/log/tty_audit/ or integrates with systemd-journald.

action=log|block
    Defines the module's behavior: log (default) records TTY activity; block prevents the session from starting if TTY auditing cannot be successfully initialized or performed.

audit_uid=UID
    Limits auditing to sessions initiated by users with the specified numeric User ID (UID).

audit_gid=GID
    Limits auditing to sessions initiated by users belonging to the specified numeric Group ID (GID).

audit_users=user1,user2,...
    Audits only sessions for the comma-separated list of specified usernames.

exclude_users=user1,user2,...
    Excludes the comma-separated list of specified usernames from TTY auditing.

audit_groups=group1,group2,...
    Audits only sessions for users who are members of the comma-separated list of specified group names.

exclude_groups=group1,group2,...
    Excludes users who are members of the comma-separated list of specified group names from TTY auditing.

term=terminal_type
    Audits only sessions originating from a specific terminal type (e.g., xterm, linux, vt100).

ignore_term=terminal_type
    Excludes sessions originating from the specified terminal type(s) from auditing.

debug
    Enables verbose debugging output, which can be useful for troubleshooting issues with the pam_tty_audit module.

silent
    Suppresses informational messages and non-critical warnings generated by the module, preventing them from being displayed to the user or logged through standard channels.

pam_tty_audit is a Pluggable Authentication Module (PAM) designed to record all input and output occurring on a user's terminal session. It operates by integrating into the PAM stack, typically invoked during the session phase of user authentication. When enabled, it captures every keystroke typed by the user and all text displayed on the screen, directing this information to a designated audit log file, often located in /var/log/tty_audit.log or managed by systemd-journald.

This module is primarily utilized for security auditing, regulatory compliance, and forensic analysis. It provides a granular level of monitoring, enabling administrators to track commands executed, data accessed, and general interactions within the terminal environment. Such detailed logging is invaluable for identifying suspicious activities, investigating security incidents, or reconstructing events post-compromise. Due to the extensive nature of the data captured, proper log rotation, archiving, and management strategies are crucial to prevent excessive disk space consumption.

Implementing pam_tty_audit introduces several considerations:

Performance Overhead: Continuous logging of all terminal I/O can introduce a noticeable performance impact, especially on systems with high user concurrency or intensive terminal activity.
Storage Requirements: Audit logs can grow rapidly to consume significant disk space. Robust log rotation and archiving policies are essential to manage storage.
Privacy Concerns: This module captures all terminal input, including potentially sensitive information like passwords (if typed at a prompt within the session), private keys, or confidential data. Strict privacy policies and legal compliance must be considered.
Log Security: The integrity and confidentiality of the generated audit logs are paramount. Logs must be secured against unauthorized access, modification, or deletion to maintain their evidentiary value.
Scope Limitation: pam_tty_audit only records activity within pseudo-terminals (TTYs/PTYs), such as SSH sessions or local console logins. It does not monitor graphical user interface (GUI) applications or direct system calls not routed through a terminal.
Configuration Complexity: Incorrect PAM configuration can lead to unforeseen issues, including preventing users from logging in. Careful testing is advised.

pam_tty_audit is configured by adding a line to a PAM service file. Common files include /etc/pam.d/sshd for SSH logins, /etc/pam.d/login for direct console logins, or often within a centrally included file like /etc/pam.d/system-auth. The module typically belongs in the session stack.

Example line to enable auditing for the 'sysadmin' user, logging to a custom directory:
session required pam_tty_audit.so enable log_dir=/var/log/audit/tty audit_users=sysadmin

The audit logs generated by pam_tty_audit typically contain raw terminal I/O streams. The entries often include metadata such as timestamps, the user's UID/GID, the TTY device path, and then the actual data (raw keystrokes and screen output). This raw format usually requires specialized tools or scripts for effective parsing, searching, and analysis, making direct human readability challenging compared to more structured log formats.

pam_tty_audit is a component of the Linux-PAM (Pluggable Authentication Modules) framework, which was first developed in the mid-1990s to provide a flexible and extensible authentication infrastructure for Unix-like systems. This specific module was introduced to address the growing need for detailed session auditing and monitoring, driven by security, compliance, and forensic requirements in enterprise and regulated environments. Its core functionality, focused on capturing raw terminal input and output, has remained consistent, evolving primarily with changes in PAM standards and logging practices (e.g., integration with systemd-journald).

pam(8), pam.conf(5), auditctl(8), auditd(8), script(1), last(1), who(1)