[lxc-users] audit guest keystrokes using pam_tty_audit

Stefan Thaler s.m.thaler at tue.nl
Wed Aug 5 09:00:17 UTC 2015


Dear All,

I have an unprivileged LXC container which runs an SSH server. The ports 
to connect to the container are forwarded, so one can connect from 
outside of the host to the container.

Is it possible to record all keystrokes from the host using 
auditd(pam_tty_audit) when somebody connects to the container via SSH?

I've added "/session/ /required pam_tty_audit.so enable=*/" to 
/etc/pam.d/common-session and /etc/pam.d/sshd and 
/etc/pam.d/common-auth, which enables key logging for all users on the 
host, but not in the containers.

I can audit system calls made by the guest (e.g., execve ) from the 
host, but keystrokes are not recorded.

The host and the container are both ubuntu 14.04 servers.

Any suggestions?

thanks a lot,
Stefan





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150805/e71b0f34/attachment.html>


More information about the lxc-users mailing list