On Wed, 2022-02-09 at 01:24 +0100, André Letterer wrote: > Yeah, it's a very good start. > However it seems it still doesn't do what I want. > > It seems only changing the 2 files doesn't do the job: > > nano /etc/pam.d/system-auth > session required pam_tty_audit.so disable=* > enable=logs log_passwd > nano /etc/pam.d/password-auth > session required pam_tty_audit.so disable=* > enable=logs log_passwd > > I get much more entries in /var/log/audit/audit.log for user logs > like for instance if I su to this one. > > However unfortunately commands like "history -c" don't still trigger > an entry... > > Is there still a follow-up idea on this?
$ man pam_tty_audit hint consider removing disable=* and modifying enable=logs to something else, unless of course the only account you want to tty audit is an account named "logs". Mark -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
