[RFE] Allow tty logging (maybe via pam_tty_audit.so)

[BikesAndBBQ]

Current situation

I'm trying to use auditd to log commands run on TTYs on our nodes. (I'm hoping to catch both commands run after sshing directly into nodes and also commands run after execing into containers.) I can't enable pam_tty_audit because that module is not installed alongside other PAM modules.

Impact

We're trying to enable this auditing to meet regulatory compliance goals.

Ideal future situation

pam_tty_audit.so is installed alongside other PAM modules. (Or another mechanism is provided for logging all commands run on TTYs.)

**Implementation options

Install the pam_tty_audit module.

Additional information

Would be happy to hear if there's another solution for TTY auditing on Flatcar.

[jepio]

This requires adding audit use flag to sys-libs/pam, shouldn't be an issue.

Out of curiosity: which compliance are you trying to achieve and do you have any other issues with getting Flatcar approved?

[BikesAndBBQ]

Compliance might be incorrect here because I think this might be for a SOC2 rather than SOX, but essentially trying to demonstrate a control that all human initiated commands run in the production environment are logged.

Flatcar in particular hasn't really been an issue here, most of the controls we're trying to put in place we're able to do in kubernetes or AWS, but this particular control like we want it at the OS level.

[tormath1]

Hi @BikesAndBBQ thanks for this report ! It has been added in the following PR: flatcar-archive/coreos-overlay#1233 and it will be available in the very next alpha release !

[BikesAndBBQ]

Awesome, thank you!