7.1.16.1. Session Audit¶
The sudosh
tool is installed on each SIMP node. It` logs the terminal
output of user’s terminal session, which is written to the log file
/var/log/sudosh/log
. Another utility, sudosh-replay
can be used to
replay the session.
The PAM module pam_tty_audit
is used to record keystrokes during a root
user’s session. Additional accounts can be audited by adding them to the
parameter pam::tty_audit_users
,
Note
As a safeguard against recording sensitive credentials (such as passwords),
both sudosh
and pam_tty_audit
do NOT record when echo
is turned off.
Warning
The audit logs WILL RECORD SENSITIVE DETAILS (such as passwords) for any scripts or applications that:
- Do _not_ protect terminal output while entering or echoing sensitive data
- AND are run by an audited user (e.g.,
root
)
It is therefore HIGHLY RECOMMENDED to update any such scripts or applications to turn of echo during these sensitive operations.
References: AU-14 : SESSION AUDIT