A few updates for the initial Linux PAM setup section of this article:
- It is recommended to create and modify specific *.rules files in /etc/audit/rules.d/, rather than edit /etc/audit/audit.rules directly.
- Instead of Mitre, you could use the example rulesets defined in the Linux audit project: https://github.com/linux-audit/audit-userspace/tree/master/rules
- Once you have created/updated audit rules, instead of restarting the audit service try loading them using the below command:
augenrules --load​
- When configuring pam_tty_audit.so on Ubuntu, you should:
- Install auditd
- Add the relevant pam_tty_audit.so line to /etc/pam.d/common-session.
- Ensure this line appears above the first "session required" entry.
- Update /etc/ssh/sshd_config to ensure that "UsePAM yes" is set (otherwise SSH session keystrokes will not be captured).
- When configuring pam_tty_audit.so on RHEL, you should:
- Install auditd
- Add the relevant pam_tty_audit.so line to /etc/pam.d/system-auth
- Add the relevant pam_tty_audit.so line to /etc/pam.d/password-auth
- PAM buffers keystrokes and does not log them immediately. It writes a user's keystrokes to the audit log when the buffer is full, or when the user's session is terminated.
- NOTE: regardless of the presence or absence of the log_passwd keyword in your pam_tty_audit.so, passwords will be logged in forwarded SSH sessions.
Microsoft