centos 5 - auditd

Need to log keystrokes for a user that's logging into one of our centos 5 boxes. I've enabled the pam_tty_audit module in /etc/pam.d/system-auth file, using the
session required pam_tty_audit.so disable=* enable=user,root     line. It's working ok, but messages in the /var/log/audit/audit.log are delayed, and sometimes only appear when the user being monitored logs out. How can I make auditd log activity in real time, so we can watch with 'tail -f'?
Thanks
netlabzAsked:
Who is Participating?
 
_-MYFOX-_Connect With a Mentor Commented:
try rootsh http://www.securityfocus.com/tools/3580
It's a low-level monitoring eg keystrokes
0
 
netlabzAuthor Commented:
rootsh works pretty well, only drawback is it requires the user to enter their p/w again for sudo. Even if I have 'sudo rootsh' in their .bashrc or .bash_profile they have to enter their password.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.