-
Bug
-
Resolution: Done-Errata
-
Normal
-
CentOS Stream 8
-
None
-
bash-4.4.20-5.el8
-
None
-
Moderate
-
rhel-sst-cs-plumbers
-
ssg_core_services
-
5
-
False
-
-
No
-
None
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
-
All
-
None
What were you trying to do that didn't work?
USER_TTY events are not correctly logged in audit logs.
Please provide the package NVR for which bug is seen:
bash-5.1.8-6.el9
How reproducible:
Always
Steps to reproduce
- Modify `/etc/pam.d/sshd` to include `session required pam_tty_audit.so enable=*`.
- Logout and login again through ssh.
- Enter some commands in the interactive shell.
- Execute `aureport --tty`.
Expected results
Commands that were entered interactively should be visible individually. For example:
# aureport --tty TTY Report =============================================== date time event auid term sess comm data =============================================== 1. 01/24/2024 08:00:04 538 0 ? 3 bash "echo \"hello\"",<ret> 2. 01/24/2024 08:00:04 539 0 ? 3 ? "echo \"hello\"" 3. 01/24/2024 08:00:07 540 0 ? 3 bash "aure",<tab>,"--ty",<backspace>,"ty",<ret> 4. 01/24/2024 08:00:07 541 0 ? 3 ? "aureport --tty"
Actual results
Commands are only logged once the user logs out from the shell and are collectively in a single line. For example:
# aureport --tty TTY Report =============================================== date time event auid term sess comm data =============================================== 1. 01/24/2024 08:01:14 349 0 pts0 6 bash "echo \"hello\"",<ret>,"aur",<tab>,"--ty",<backspace>,"ty",<ret>,<^D>
- clones
-
RHEL-22619 USER_TTY events are not correctly logged in audit logs
- Closed
- links to
-
RHBA-2024:129849 bash update
- mentioned on