I am using the pam_tty_audit module to log keystrokes. I used the instructions here to enable it: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
It works fine and logs all the keystrokes.
However it does not log the keystrokes immediately. I noticed that it logs the keystrokes when
- The user session is closed, e.g. I type "exit"
- At some seemingly random time. Unfotunately I could not reproduce this with my tests today, but I am pretty sure I have seen this happening.
Can anyone help to understand item 2) above? Can I control the period at which pam_tty_audit flushes the keystrokes and generates the auditd event? Is it configurable or hardcoded?
To test the "flush period", I typed "date" in a terminal. I did not log out in order to trigger the flush at logout. I just left the terminal idle.
In a second terminal I executed the command "aureport --tty" and waited until I saw the event with the "date" command. I waited up to 1 hour and did not see the audit log. As soon as I exited from the first terminal, the log appeared.
Is it possible to configure pam_tty_audit to flush the keystrokes earlier?