7.1.16.1. Session Audit¶
The Tlog application is installed on each SIMP node. It is set, by default, to log interactive shell sessions to privileged user accounts via a login shell hook.
The tlog-rec-session
application may optionally be set as the user’s
default shell to log all sessions without the optional hook.
A tlog-play
application is also provided to replay captured sessions.
In addition to Tlog, the PAM module pam_tty_audit
is used
to record keystrokes during a root
user’s session. Additional accounts can
be audited by adding them to the parameter pam::tty_audit_users
.
Note
As a safeguard against recording sensitive credentials (such as passwords),
both tlog
and pam_tty_audit
do NOT record when echo
is turned off.
Warning
The audit logs WILL RECORD SENSITIVE DETAILS (such as passwords) for any scripts or applications that:
- Do _not_ protect terminal output while entering or echoing sensitive data
- AND are run by an audited user (e.g.,
root
)
It is therefore HIGHLY RECOMMENDED to update any such scripts or applications to turn of echo during these sensitive operations.
References: AU-14 : SESSION AUDIT