How to Configure PAM to Audit Logging Shell User Activity

This is our ongoing series on Linux Auditing, in this fourth part of this article, we will explain how to configure PAM for auditing of Linux TTY input (Logging Shell User Activity) for specific users using pam_tty_audit tool.

Linux PAM (Pluggable Authentication Modules) is a highly flexible method for implementing authentication services in applications and various system services; it emerged from the original Unix PAM.

It divides authentication functions into four major management modules, namely: account modules, authentication modules, password modules and session modules. The detailed explanation of theses management groups is beyond the scope of this tutorial.

The auditd tool uses the pam_tty_audit PAM module to enable or disable auditing of TTY input for specified users. Once a user is configured to be audited, pam_tty_audit works in conjunction with the auditd to track a users actions on the terminal and if configured, capture the exact keystrokes the user makes, then records them in the /var/log/audit/audit.log file.

Configuring PAM for Auditing User TTY Input in Linux

You can configure PAM for auditing a particular users TTY input in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, using the enable option. On the other hand, as expected, the disable turns it off for the specified users, in the format below:

session required pam_tty_audit.so disable=username,username2...  enable=username,username2..

To turn on logging of actual user keystrokes (including spaces, backspaces, return keys, the control key, delete key and others), add the log_passwd option together with the other options, using this form:

session required pam_tty_audit.so disable=username,username2...  enable=username log_passwd

But before you perform any configurations, note that:

  • As seen in the syntax above, you can pass many usernames to the enable or disable option.
  • Any disable or enable option overrides the previous opposite option that matches the same username.
  • After enabling TTY auditing, it is inherited by all processes initiated by the defined user.
  • If recording of keystrokes is activated, the input is not logged instantly, since TTY auditing first stores the keystrokes in a buffer and writes the buffer content at given intervals, or after the audited user logs out, into the /var/log/audit/audit.log file.

Let’s look at an example below, where we’ll configure pam_tty_audit to record the actions of the user tecmint including keystrokes, across all terminals, while we disable TTY auditing for all other system users.

Open these two following configuration files.

# vi /etc/pam.d/system-auth
# vi /etc/pam.d/password-auth

Add following line to the configuration files.
session required pam_tty_audit.so disable=* enable=tecmint

And to capture all keystrokes entered by the user tecmint, we can add the log_passwd option a shown.

session required pam_tty_audit.so disable=*  enable=tecmint log_passwd

Now save and close the files. Afterwards, view the auditd log file for any TTY input recorded, using the aureport utility.

# aureport --tty
Audit User TTY in Linux
Audit User TTY in Linux

From the output above, you can see the user tecmint whose UID is 1000 used the vi/vim editor, created a directory called bin and moved into it, cleared the terminal and so on.

To search for TTY input logs recored with time stamps equal to or after a specific time, use the -ts to specify the start date/time and -te to set the end date/time.

The following are some example:

# aureport --tty -ts 09/25/2017 00:00:00 -te 09/26/2017 23:00:00
# aureport --tty -ts this-week

You can find more information, in the pam_tty_audit man page.

# man  pam_tty_audit

Check out following useful articles.

  1. Configure “No Password SSH Keys Authentication” with PuTTY on Linux Servers
  2. Setting Up LDAP-based Authentication in RHEL/CentOS 7
  3. How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins
  4. SSH Passwordless Login Using SSH Keygen in 5 Easy Steps
  5. How to Run ‘sudo’ Command Without Entering a Password in Linux

In this article, we described how to configure PAM for auditing of input for specific users on CentOS/RHEL. If you have any questions or additional ideas to share, use the comment from below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.