9.1.16.1. Session Audit

The Tlog application is installed on each SIMP node. It is set, by default, to log interactive shell sessions to privileged user accounts via a login shell hook.

The tlog-rec-session application may optionally be set as the user’s default shell to log all sessions without the optional hook.

A tlog-play application is also provided to replay captured sessions.

In addition to Tlog, the PAM module pam_tty_audit is used to record keystrokes during a root user’s session. Additional accounts can be audited by adding them to the parameter pam::tty_audit_users.

Note

As a safeguard against recording sensitive credentials (such as passwords), both tlog and pam_tty_audit do NOT record when echo is turned off.

Warning

The audit logs WILL RECORD SENSITIVE DETAILS (such as passwords) for any scripts or applications that:

• Do _not_ protect terminal output while entering or echoing sensitive data

• AND are run by an audited user (e.g., root)

It is therefore HIGHLY RECOMMENDED to update any such scripts or applications to turn of echo during these sensitive operations.

References: AU-14 : SESSION AUDIT