View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0017822 | CentOS-8 | pam | public | 2020-10-30 11:33 | 2020-10-30 11:33 |
| Reporter | jeburkes76 | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 8.2.2004 | ||||
| Summary | 0017822: pam_tty_audit.so does not function in 8.2.2004 or 8.1.1911 | ||||
| Description | Brand new installation of CentOS 8.2.2004/8.1.1911, and modified password-auth, system-auth, and sshd in pam.d to include session required pam_tty_audit.so enable=*. Example pam.d\sshd config below: #%PAM-1.0 auth substack password-auth auth include postlogin account required pam_sepermit.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session required pam_tty_audit.so enable=* # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_motd.so session include password-auth session include postlogin If I log in with my account, sudo over to root, and execute command line options such as ls, top, cd /, etc. I DO NOT get entries in the audit.log with type=USER_TTY. NOTE: I have this running and tested on a new CentOS 7.8 installation as well on production systems. | ||||
| Steps To Reproduce | - Build new CentOS 8.X system - Modify sshd, password-auth, system-auth in pam.d - Create local user with sudo access - SSH into system with local user, switch to root - Run commands - ausearch -m "USER_TTY", result no matches - ausearch -m "TTY", matches with raw command line logging data Do the same as above with CentOS 7, USER_TTY will have results. | ||||
| Additional Information | https://stackoverflow.com/questions/64560287/centos-8-pam-tty-audit-so-does-not-seem-to-work | ||||
| Tags | pam | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-10-30 11:33 | jeburkes76 | New Issue | |
| 2020-10-30 11:33 | jeburkes76 | Tag Attached: pam |
