audit keystrokes with pam

The pam_tty_audit PAM module is used to enable or disable TTY auditing. By default, the kernel does
not audit input on any TTY

this modules is part of auditd and it takes  3 parameters

1 – disable  is pattern to disable the module in specified users u can use =* to disable it globaly

2 – enable  is pattern to enable for specified users

3 – open_only to monitor fork apps

lets assume we want to monitor keystrokes via incoming ssh connection

this is helpful because some bad users could remove their history or use screen command

we will use the pam_tty_audit inside the ssh pam file /etc/pam.d/sshd

 

add this the module to end of the file

 

 

to view users log

here is output example

tty report provides u with the userid example 0 ? 18 bash user id 0 for root

500 ? 28 bash user id 500 for tester account