The search in the User TTY dashboard uses user=* by default in the search arguments. That user field is automatically populated by the posix_identities lookup (via props.conf) by translating the auid field value to user, so if that lookup can't translate an auid to a user it may result it events not showing up in the dashboard. For this reason I suspect that the identities may not be populated correctly. I suggest checking your identities are being populated correctly by looking at each of the panes in the Help Dashboard.

Running the following I most definitely get user tty output:

#sudo aureport --tty -ts today

...

336. 28/05/18 12:22:23 2490591 571 ? 43278 zsh <^L>,"cd /op",<tab>,"spl",<tab>,"bin",<tab>,<^U>,"cd",<backspace>,<backspace>,<backspace>,"cd doc",<tab>,"pro",<tab>,<nl>,"ls -l",<nl>,"cd spl",<tab>,"app",<tab>,<nl>,"cd Li",<tab>,<nl>,"ls ",<^U>,"less Li",<tab>,<^L>,<nl>,<^D>

...

Hi,

Running the aforementioned search returns the auid populated e.g.

type=USER_TTY msg=audit(1527122575.703:2401630): pid=104782 uid=0 auid=571 ses=40954 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 data="ls"

I have followed your documentation with a fine tooth comb. This is what I have for PAM (on RHEL 7.5):

/etc/pam.d/password-auth

session     required      pam_tty_audit.so enable=*

/etc/pam.d/system-auth

session     required      pam_tty_audit.so enable=*

Interestingly the following command yields zero results:

#sudo grep USER_TTY /var/log/audit/audit.log
#

Can you point me in a direction as to how to make this work ?

I presume from your response the expected behavior of the USER_TTY panel is to present non uid 0 keystroke data ?

Thanks!

-Alex