I have configured Auditd in a RHEL6 server and enabled TTY logging using
pam_tty_audit.so enable=*
in /etc/pam.d/system-auth and /etc/pam.d/password-auth
I don't have any other rules configured in audit.rules file as I am interested in only logging commands executed by users and not tracking all process activities
I am able to see the commands executed by users locally in this server.
But if users are executing commands remotely from other servers using SSH, like
ssh userid@<rhel server> date
these commands are not logged in audit logs..
Is there any way to log these ?
Best Answer
You need to edit /etc/pam.d/sshd to audit ssh
look here https://blog.shichao.io/2015/04/22/auditing_user_tty_and_root_commands_with_auditd_on_ubuntu.html