On Tue, Mar 12, 2013 at 02:09:37PM -0700, Tracy Reed wrote: > On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly: > > I'm actually working on that right now. I have a patch I am in the > > process of testing. It implements a new sysctl. I'm working in > > the upstream kernel, so it will likely be available in Linus' git tree > > before anywhere else. After that, likely fedora, then RHEL, but I'm a > > bit new to that process. > > Wow, thanks! Always glad to see good security features/auditing being added to > the kernel. Although I'm surprised a new sysctl was necessary and it couldn't > all be done in auditd in userspace. I look forward to reading over the code to > learn what into this.
The necessary hooks are in the tty driver in the kernel. Control bits could be managed by audit in userspace, but would still need kernel intervention. > Please do post the patch here when you have it worked out as I am very likely > to miss it in the flood of kernel patches when it goes to/from Linus. Here you go. Given Steve's good question, this control method may change. > Thanks again! No worries, glad to be of service. > Tracy Reed - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635
>From 1c67c13117d3e44036a890664f7aec413a392545 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs <r...@redhat.com> Date: Wed, 13 Mar 2013 11:31:59 -0400 Subject: [PATCH] tty: add a sysctl switch to avoid logging passwords with audit To: linux-audit@redhat.com Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. The sysctl is /proc/sys/kernel/tty/audit_log_icanon with a default value of 0 to not log passwords. Signed-off-by: Richard Guy Briggs <r...@redhat.com> --- drivers/tty/tty_audit.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ drivers/tty/tty_io.c | 2 ++ include/linux/tty.h | 4 ++++ 3 files changed, 51 insertions(+), 0 deletions(-) diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c index 6953dc8..689f8d8 100644 --- a/drivers/tty/tty_audit.c +++ b/drivers/tty/tty_audit.c @@ -22,6 +22,49 @@ struct tty_audit_buf { unsigned char *data; /* Allocated size N_TTY_BUF_SIZE */ }; +int tty_audit_log_icanon = 0; +static int tty_audit_log_icanon_limit_min; +static int tty_audit_log_icanon_limit_max = INT_MAX; //1? + +static struct ctl_table tty_table[] = { + { + .procname = "audit_log_icanon", + .maxlen = sizeof(int), + .mode = 0644, + .data = &tty_audit_log_icanon, + .proc_handler = proc_dointvec_minmax, + .extra1 = &tty_audit_log_icanon_limit_min, + .extra2 = &tty_audit_log_icanon_limit_max, + }, + {} +}; + +static struct ctl_table tty_kern_table[] = { + { + .procname = "tty", + .mode = 0555, + .child = tty_table, + }, + {} +}; + +static struct ctl_table tty_root_table[] = { + { + .procname = "kernel", + .mode = 0555, + .child = tty_kern_table, + }, + {} +}; + +void tty_audit_sysctl_register(void) +{ + struct ctl_table_header *table; + + table = register_sysctl_table(tty_root_table); + // if error, unregister_sysctl_table(table); +} + static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor, unsigned icanon) { @@ -296,6 +339,8 @@ void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, if (unlikely(size == 0)) return; + if (!tty_audit_log_icanon && icanon) return; + if (tty->driver->type == TTY_DRIVER_TYPE_PTY && tty->driver->subtype == PTY_TYPE_MASTER) return; diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 05400ac..72ce653 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -3495,6 +3495,8 @@ int __init tty_init(void) else WARN_ON(device_create_file(consdev, &dev_attr_active) < 0); + tty_audit_sysctl_register(); + #ifdef CONFIG_VT vty_init(&console_fops); #endif diff --git a/include/linux/tty.h b/include/linux/tty.h index c75d886..2710abe 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -544,6 +544,7 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); extern void tty_audit_push(struct tty_struct *tty); extern int tty_audit_push_task(struct task_struct *tsk, kuid_t loginuid, u32 sessionid); +extern void tty_audit_sysctl_register(void); #else static inline void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, size_t size, unsigned icanon) @@ -566,6 +567,9 @@ static inline int tty_audit_push_task(struct task_struct *tsk, { return 0; } +static inline tty_audit_sysctl_register(void) +{ +} #endif /* tty_ioctl.c */ -- 1.7.1
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit