On Wed, Mar 13, 2013 at 01:37:53PM -0400, Miloslav Trmac wrote: > ----- Original Message ----- > > On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: > > > ----- Original Message ----- > > > > > Please do post the patch here when you have it worked out as I > > > > > am > > > > > very likely > > > > > to miss it in the flood of kernel patches when it goes to/from > > > > > Linus. > > > > > > > > Here you go. Given Steve's good question, this control method > > > > may > > > > change. > > > > > > Isn't "icanon" _true_ when the data is echoed? This patch would > > > allow > > > dropping the echoed data (i.e. commands), not the non-echoed data > > > (i.e. passwords). > > > (I might be mistaken and I haven't tested this.) > > > > Apparently not. This is what took me longer than I initially thought > > necessary to get this working, rechecking my pam incantations along the > > way. I went back and actually removed my switch and just isolated > > icanon in the decision to abort the function to confirm how it worked, > > then inverted the test which is when it started working. Eric was right > > to start with. > > Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The > latter is generated by bash and not relevant.
I was looking at both, but primarily watching AUDIT_TTY for sshd, since that is the pam rule that I was using for testing. > Anyway, I was beig stupid - icanon is enabled even when asking for > passwords (because backspace works). When asking for passwords, the > situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) > names; I have checked agetty(8) and su(1)). We definitely want to > audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I > suspect we want them audited as well. But that might need a more > detailed look. This reply is a bit stale since I started to write it yesterday... Ok, so it sounds like I need to add (or substitute) "&& !L_ECHO(tty)" to that expression. As a sanity check, can I just verify that to test this, I should only need to add something like "session required pam_tty_audit.so disable=* enable=rgb" to /etc/pam.d/sshd and then ssh in to the box as rgb, then issue a command that requires a password such as ssh or su? Ok, I just chatted with Mirek... He pointed me at: https://access.redhat.com/knowledge/solutions/226243 I had set it up for a non-root user to avoid logging the instrumentation console... I'll redo these tests... > Mirek - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit