On Mon, Oct 7, 2013 at 1:30 PM, zhu xiuming <xiuming...@gmail.com> wrote: > This is correct. The problem is, this records every keystrokes and even the > password of the users. While I only care about the user command history, I > surely do not want to know their passwords. >
There is another problem - users without a tty will be able to type commands that aren't loged (hence not a full solution). A test case for this is: ssh host ls > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <tvaug...@onyxpoint.com> > wrote: >> >> Does pam_tty_audit with enable=* not do what you want? >> >> Trevor >> >> >> On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <xiuming...@gmail.com> wrote: >>> >>> HI >>> I know this seems an old topic. But unfortunately, I can't find a >>> solution for this. I have googled long time. I tried following options: >>> >>> 1. audit execv syscall, >>> this does record every command typed any tty. However, it generates >>> lots of noise. Sometimes, the execv syscall is so frequently called that >>> the system can't afford to log every call of it and it crashes !!! >>> >>> 2. use pam_tty_audit.so >>> this makes it possible to record one or two users, not all users. >>> >>> So, may I ask, is this problem solvable by auditd or do I need other >>> tools ? >>> >>> Thanks a lot >>> >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit@redhat.com >>> https://www.redhat.com/mailman/listinfo/linux-audit >> >> >> >> >> -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc >> (410) 541-6699 >> tvaug...@onyxpoint.com >> >> -- This account not approved for unencrypted proprietary information -- > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit