pam_tty_audit

session optional pam_tty_audit.so

disable=
    Disable auditing for the specified user.

enable=
    Enable auditing for the specified user.

audit_group=
    Audit members of the specified group (defined in /etc/group).

ignore_ttys=,,...
    A comma separated list of terminals to ignore (e.g., pts/0,tty1).

log_passwords
    Log passwords entered by users (use with extreme caution!).

nowarn
    Do not warn the user when their TTY session is being audited.

quiet
    Do not print any informational messages.

The pam_tty_audit PAM module provides auditing of user TTY sessions. It logs all input and output from a user's terminal session to the system audit log. This is useful for monitoring privileged users or troubleshooting system issues. The module is configured via /etc/pam.d/* and /etc/security/tty_audit.conf. The tty_audit.conf file specifies which users are audited and on which terminals. The logging is controlled by the auditd daemon, and the logged data can be viewed using ausearch. Careful configuration is crucial to avoid excessive logging and performance degradation. Ensure adequate disk space for audit logs and monitor them regularly. Misconfiguration can lead to system slowdowns or even lockouts if disk space is exhausted. The audit data is critical for security analysis and incident response.

Enabling pam_tty_audit can generate a large volume of audit data, potentially impacting system performance and requiring significant disk space. Carefully consider which users and terminals to audit. Avoid using log_passwords unless absolutely necessary due to the security risks.

The /etc/security/tty_audit.conf file controls which users are audited on which TTYs. The syntax is straightforward, allowing for specific user-TTY combinations or auditing all users on all TTYs.

Auditing user sessions can expose sensitive information. Secure the audit logs and restrict access to them. Properly configure auditd to ensure the logs are rotated and archived appropriately. Regularly review audit logs to identify potential security incidents. Be aware of privacy implications when auditing user sessions.

To audit all activity for user 'root', add 'session optional pam_tty_audit.so enable=root' to the /etc/pam.d/system-auth file (or similar PAM configuration). Then configure /etc/security/tty_audit.conf to specify which TTYs should be audited for 'root'.

pam_tty_audit was developed as part of the Linux-PAM project to provide a standardized way to audit TTY sessions. It is a crucial component for security and compliance in environments requiring detailed user activity logging. Its usage has grown significantly with increasing security concerns and regulatory requirements.

auditd(8), ausearch(1), pam(8)