disable=patterns
enable=patterns
open_only
log_passwd
Only the session type is supported.
PAM_SESSION_ERR
PAM_SUCCESS
When TTY auditing is enabled, it is inherited by all processes started by that user. In particular, daemons restarted by a user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled. Therefore, it is recommended to use disable=* as the first option for most daemons using PAM.
To view the data that was logged by the kernel to audit use the command aureport --tty.
The patterns are comma separated lists of glob patterns or ranges of uids. A range is specified as min_uid:max_uid where one of these values can be empty. If min_uid is empty only user with the uid max_uid will be matched. If max_uid is empty users with the uid greater than or equal to min_uid will be matched.
Please note that passwords in some circumstances may be logged by TTY auditing even if the log_passwd is not used. For example, all input to an ssh session will be logged - even if there is a password being typed into some software running at the remote host because only the local TTY state affects the local TTY auditing.
Audit all administrative actions.
session required pam_tty_audit.so disable=* enable=root
aureport(8), pam.conf(5), pam.d(5), pam(8)
pam_tty_audit was written by Miloslav Trmač <mitr@redhat.com>. The log_passwd option was added by Richard Guy Briggs <rgb@redhat.com>.