<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Support encoded TTY from audit.log in Linux Auditd app in All Apps and Add-ons</title>
    <link>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/477007#M58588</link>
    <description>&lt;P&gt;It seems that the TTY and USER_TTY distinction is a Red-Hat distro thing and that Debian-based distros only use a filter key of TTY.&lt;/P&gt;

&lt;P&gt;I think there may be another way of distinguishing between root and non-root keystrokes, but I'm not clear how we could apply this to both Red-Hat and Debian-based systems.&lt;/P&gt;</description>
    <pubDate>Fri, 10 Jan 2020 01:23:33 GMT</pubDate>
    <dc:creator>Intermediate</dc:creator>
    <dc:date>2020-01-10T01:23:33Z</dc:date>
    <item>
      <title>Support encoded TTY from audit.log in Linux Auditd app</title>
      <link>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/477006#M58587</link>
      <description>&lt;P&gt;Hi Doug,&lt;/P&gt;

&lt;P&gt;We've recently noticed that despite dutifully collecting TTY keypresses (using pam) that Debian/Ubuntu doesn't product USER_TTY audit events.  The OSes seem to only produce TTY events, which are hex encoded.&lt;BR /&gt;
(We're still trying to find why/how RHEL produces (encoded) TTY and (decoded) USER_TTY events for the same keypress log event.)&lt;/P&gt;

&lt;P&gt;Would you be willing to change the way the "User TTY" feature works in your app please?  Instead of being strictly "USER_TTY" ideally it would use the "TTY" filter key AND have Splunk decode the hex strings so they remain human-readable in the output of your app?&lt;/P&gt;

&lt;P&gt;Thank you muchly!&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;EDIT: We're just researching the difference between USER_TTY and TTY filter keys in the audit log.  It seems I may have misunderstood them and one is for non-root keystrokes, the other for root only.  If you have any knowledge of Linux kernel auditing for keypresses, using pam_tty_audit.so please help me understand &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt; Thanks!&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 03:33:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/477006#M58587</guid>
      <dc:creator>Intermediate</dc:creator>
      <dc:date>2020-09-30T03:33:01Z</dc:date>
    </item>
    <item>
      <title>Re: Support encoded TTY from audit.log in Linux Auditd app</title>
      <link>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/477007#M58588</link>
      <description>&lt;P&gt;It seems that the TTY and USER_TTY distinction is a Red-Hat distro thing and that Debian-based distros only use a filter key of TTY.&lt;/P&gt;

&lt;P&gt;I think there may be another way of distinguishing between root and non-root keystrokes, but I'm not clear how we could apply this to both Red-Hat and Debian-based systems.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jan 2020 01:23:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/477007#M58588</guid>
      <dc:creator>Intermediate</dc:creator>
      <dc:date>2020-01-10T01:23:33Z</dc:date>
    </item>
    <item>
      <title>Re: Support encoded TTY from audit.log in Linux Auditd app</title>
      <link>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/559923#M66123</link>
      <description>&lt;P&gt;I tested on Ubuntu today and also found that only type="TTY" was produced.&lt;BR /&gt;(I added the "session required pam_tty_audit.so enable=*" to /etc/pam.d/common-session as /etc/pam.d/password-auth-ac did not seem to get picked up. )&lt;/P&gt;&lt;P&gt;I got the "User TTY" dashboard working fine by editing the dash and setting:&lt;BR /&gt;type="USER_TTY" OR type="TTY"&lt;BR /&gt;I also added the comm field to the table as that provides additional good insight into what's going on.&lt;/P&gt;</description>
      <pubDate>Sat, 17 Jul 2021 18:51:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/559923#M66123</guid>
      <dc:creator>ivarny</dc:creator>
      <dc:date>2021-07-17T18:51:03Z</dc:date>
    </item>
    <item>
      <title>Re: Support encoded TTY from audit.log in Linux Auditd app</title>
      <link>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/633809#M78673</link>
      <description>&lt;P&gt;Are you still doing this or is there a better way? This kind of works, but its a lot less clean than the root logs. For example, the arrow keys log, it adds spaces between letters when a user tabs. I would love to get it to look exactly as the root logs do for non-root users.&lt;/P&gt;</description>
      <pubDate>Wed, 08 Mar 2023 21:01:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/All-Apps-and-Add-ons/Support-encoded-TTY-from-audit-log-in-Linux-Auditd-app/m-p/633809#M78673</guid>
      <dc:creator>xr4nd0mx</dc:creator>
      <dc:date>2023-03-08T21:01:24Z</dc:date>
    </item>
  </channel>
</rss>

