PAM 4.5 - Session Recording/Audit for MFA protected Linux Hosts (3rd party)

Dear Community,

We are facing the following requirements in a current project:
- Linux hosts are accessed with 3rd party MFA authentication (DUO push)
- Users have personal Linux "admin"/"root" users like adm_psmith
- Linux hosts are integrated with Windows domains (login with Windows domain user in AD UPN format like adm_psmith@acme.local)
- Linux login restrictions are already handled by special security groups in AD where authorized users are members.

That said, PAM should "only" do session monitoring/capture, not privilege or command handling per se. Direct access via SSH is required (web ssh is not sufficient).

What we did
- Installed and registered an agent on such a Linux host, communicating with the framework manager (works).
- Created a resource group of type "UNIX Agents" and added the said Linux host to it.
- Created an association with a user role based on ldap users/groups (the user adm_psmith@acme.local is added directly and as a group member to the user role).

Problem:
When we now log in to the said Linux host via ssh and MFA with adm_psmith@acme.local, nothing is registered by the PAM agent. We have checked the documentation for agent based Linux setup, e.g. for cpcksh
www.netiq.com/.../t4dyujzzzecw.html

However, since the Linux hosts are Windows integrated (Kerberos), you cannot simply change the login shell for the users to cpcksh.

Do you have any idea how we can achieve "simple session monitoring" via PAM in this setup, or are we missing something?

Many thanks and best regards,
Philipp

Tags: