pam_ttylog is a PAM module to write the output of login shell to log files. It's the PAM version of my scriptedlogin 2.0.0.
Until now, there are some way to log user's operations for security and others: making a initial script (like .bashrc of BASH) invoke script command, applying some patches to kernel, use serial-line logging tool, and so on. But there are some problems for these:
To avoid these problems, pam_ttylog takes an approach that it makes script-like environment in the PAM session section of /bin/login. Thus, the log files are in a user-unreachable directory and have user-unreadable/unwritable permissions.
And, pam_ttylog takes a way as PAM module. Thus, it doesn't need to modify or replace original /bin/login, getty, telnet and libraries for its installation and using.
It is easy to install pam_ttylog.
extract the source archive.
run commands in the source directory like below:
make su root make install
In the default settings, you will install pam_ttylog itself to /lib/security and ttylogreplay (modified version of scriptreplay for script) to /usr/local/bin/. Log files are saved in /var/log/pam_ttylog/.
If you want to change these, you need to modify Makefile and/or pam_ttylog.c.
To use pam_ttylog, you have to add a line to session section in the PAM configuration file of each service like below:
session optional pam_ttylog.so
I tested it with /etc/pam.d/login. So, I tested it with PAM configuration for few programs. I tried it with ssh bad it didn't work.
You can check whether there are log files or not, but don't display contents of log files of using shell with cat or tail -f!, or you get endless loop of display them. You can display them that contains already logged-out shell operations.
Log files are:
/var/log/pam_ttylog/ <date>-<time>-<user>-<tty> : operation log <date>-<time>-<user>-<tty>-t : timing log
The first is the operation log itself. Use it if you want to check it quickly.
The second logs output timing data of the first (like same function of script). You can use ttylogreplay command within pam_ttylog to "replay" console operation. It is installed at pam_ttylogd installation:
ttylogreplay <logfile> [<timingfile>]
You should use slreplay on the same terminal environment to replay it nicely.
Log files increase when users do login. You have to continue to delete old files.
pam_ttylog is a tool depending on PAM completely and /bin/login partially. So, it doesn't work in cases below:
pam_ttylog contains codes from script command with BSD license and from pam_unix with BSD like/GNU GPL ver.2. So pam_ttylog is licensed under the BSD license. See the LICENSE for details.
ttylogreplay is modified version of scriptreplay within script. It's licensed under original license (it looks public domain).