Man page - pam_tty_audit(8)
Packages contas this manual
- pam_warn(8)
- pam_nologin(8)
- unix_chkpwd(8)
- sepermit.conf(5)
- pam_loginuid(8)
- pam_mail(8)
- limits.conf(5)
- faillock(8)
- pwhistory_helper(8)
- pam_mkhomedir(8)
- pam.d(5)
- pam_limits(8)
- pam_rhosts(8)
- pam_localuser(8)
- pam_stress(8)
- pam_group(8)
- pam_sepermit(8)
- namespace.conf(5)
- access.conf(5)
- environment(5)
- pam_setquota(8)
- pam_listfile(8)
- pam-auth-update(8)
- pam_selinux(8)
- pam_unix(8)
- pam_issue(8)
- pam_pwhistory(8)
- pam_filter(8)
- pam_echo(8)
- pam_faillock(8)
- pam_motd(8)
- pam_getenv(8)
- pam_faildelay(8)
- mkhomedir_helper(8)
- pam_permit(8)
- pam_env.conf(5)
- pam_exec(8)
- pam_access(8)
- pam_xauth(8)
- pam_time(8)
- pam_wheel(8)
- pam(7)
- pam_env(8)
- pam_umask(8)
- pam_usertype(8)
- pam_namespace_helper(8)
- pam_timestamp(8)
- pam_rootok(8)
- group.conf(5)
- pam_securetty(8)
- faillock.conf(5)
- pam_userdb(8)
- pam_keyinit(8)
- pwhistory.conf(5)
- pam.conf(5)
- pam_canonicalize_user(8)
- time.conf(5)
- pam_tty_audit(8)
- pam_debug(8)
- pam_shells(8)
- pam_ftp(8)
- pam_deny(8)
- pam_namespace(8)
- pam_timestamp_check(8)
- unix_update(8)
- pam_succeed_if(8)
apt-get install libpam-runtime
Manual
| PAM_TTY_AUDIT(8) | Linux-PAM Manual | PAM_TTY_AUDIT(8) |
NAME
pam_tty_audit - Enable or disable TTY auditing for specified users
SYNOPSIS
pam_tty_audit.so [disable=patterns] [enable=patterns]
DESCRIPTION
The pam_tty_audit PAM module is used to enable or disable TTY auditing. By default, the kernel does not audit input on any TTY.
OPTIONS
disable=patterns
enable=patterns
open_only
log_passwd
MODULE TYPES PROVIDED
Only the session type is supported.
RETURN VALUES
PAM_SESSION_ERR
PAM_SUCCESS
NOTES
When TTY auditing is enabled, it is inherited by all processes started by that user. In particular, daemons restarted by a user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled. Therefore, it is recommended to use disable=* as the first option for most daemons using PAM.
To view the data that was logged by the kernel to audit use the command aureport --tty.
The patterns are comma separated lists of glob patterns or ranges of uids. A range is specified as min_uid:max_uid where one of these values can be empty. If min_uid is empty only user with the uid max_uid will be matched. If max_uid is empty users with the uid greater than or equal to min_uid will be matched.
Please note that passwords in some circumstances may be logged by TTY auditing even if the log_passwd is not used. For example, all input to an ssh session will be logged - even if there is a password being typed into some software running at the remote host because only the local TTY state affects the local TTY auditing.
EXAMPLES
Audit all administrative actions.
session required pam_tty_audit.so disable=* enable=root
SEE ALSO
aureport(8), pam.conf(5), pam.d(5), pam(7)
AUTHOR
pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. The log_passwd option was added by Richard Guy Briggs <rgb@redhat.com>.
| 06/29/2025 | Linux-PAM |