TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type TTY.
You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY.
The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.