Being the Geek that I am I have my own private cloud which I share with my friends for testing out distributions and playing war-games with each other. One of the configurations I like adding to servers to allow visibility of users is setting up TTY logging

You could of course just look at the users bash history but that can be easily wiped or removed by running a various commands such as:

  • history -c
  • rm .bash_history
  • HISTFILE=/dev/null etc

The I do this is using the module pamttyaudit which most distributions have installed already, just not enabled (CentOS 5+ do anyway).

Enabling the Logging

On Redhat based distributions all you need to do is add the following to /etc/pam.d/sshd

session required pam_tty_audit.so enable=*

This allows logging of all users, you can change this to only allow certain users for example to just log the user jay change the line to:

enable=jay

or disable certian users then

disable=root,

you can read the man page for pamttyaudit here. Once you are ready to go just restart the SSH daemon and you are good to go.

View the log file

To view the log file you can use the reporting tool aureport by issuing the following command :

aureport --tty

As you can see from the example output below you can see everything I done (su to root and the tail a file)

100. 09/16/2012 19:14:49 370 500 ? 6 bash ,,"su",,"exit",
101. 09/16/2012 19:14:48 366 500 ? 6 bash "exit",
102. 09/16/2012 19:17:16 396 500 ? 7 bash ,"exit",
103. 09/16/2012 19:25:30 422 500 ? 8 su "myrootpassword",
104. 09/16/2012 19:25:36 427 500 ? 8 bash "tail -f .",,"/var",,"log",,"se",,

This also brings in a security issue that if someone gets access root then there is possibility that they can view everyones unencrypted passwords, something to be aware of.