Re: pam_tty_audit icanon log switch
On Fri, 2013-04-26 at 13:42 -0400, Richard Guy Briggs wrote: On Fri, Mar 22, 2013 at 08:19:31AM +0100, Tomas Mraz wrote: On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote: Hi folks, There's been a couple of requests to add a switch to pam_tty_audit to *not* log passwords when logging user commands. Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of canonical mode per task. For the upstream inclusion of the pam_tty_audit patch you will need to add a detection of the new member of the struct audit_tty_status in the configure.in and #ifdef the code properly. The new option can be kept even in the case the new member is not available, but it should log a warning into the syslog with pam_syslog() when used. The documentation should reflect the fact that the option might not be available on old kernels as well. Tomas, Please have a look at this patch and see if this addresses the issues you raised: Yes, this is fine and can be submitted to Linux-PAM upstream for review once the whole patch is final. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
- Original Message - On Thu, Apr 18, 2013 at 03:31:36PM -0400, Miloslav Trmač wrote: - Original Message - I'm still convinced that icanon is not the correct condition, see https://www.redhat.com/archives/linux-audit/2013-March/msg00052.html . As I indicated in a previous email, from my testing, you are correct. This patch appended should address that. Comments? Thanks, this seems fine to me (but I didn't actually test it). Please rename the field from log_icanon, I don't think it matters whether it's to log_pw, log_passwords or something similar. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
On Thu, Apr 18, 2013 at 03:31:36PM -0400, Miloslav Trmač wrote:
Hello,
Mirek,
- Original Message -
Full replacement patch:
I'm still convinced that icanon is not the correct condition, see
https://www.redhat.com/archives/linux-audit/2013-March/msg00052.html .
As I indicated in a previous email, from my testing, you are correct.
This patch appended should address that. Comments?
Mirek
- RGB
drivers/tty/tty_audit.c|8
include/linux/sched.h |1 +
include/uapi/linux/audit.h |3 ++-
kernel/audit.c |5 -
4 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6953dc8..dc1bf78 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -153,6 +153,7 @@ void tty_audit_fork(struct signal_struct *sig)
{
spin_lock_irq(current-sighand-siglock);
sig-audit_tty = current-signal-audit_tty;
+ sig-audit_tty_log_icanon = current-signal-audit_tty_log_icanon;
spin_unlock_irq(current-sighand-siglock);
}
@@ -292,10 +293,17 @@ void tty_audit_add_data(struct tty_struct *tty, unsigned
char *data,
{
struct tty_audit_buf *buf;
int major, minor;
+ int audit_log_tty_icanon;
if (unlikely(size == 0))
return;
+ spin_lock_irq(current-sighand-siglock);
+ audit_log_tty_icanon = current-signal-audit_tty_log_icanon;
+ spin_unlock_irq(current-sighand-siglock);
+ if (!audit_log_tty_icanon icanon !L_ECHO(tty))
+ return;
+
if (tty-driver-type == TTY_DRIVER_TYPE_PTY
tty-driver-subtype == PTY_TYPE_MASTER)
return;
diff --git a/include/linux/sched.h b/include/linux/sched.h
index d35d2b6..031aa39 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -606,6 +606,7 @@ struct signal_struct {
#endif
#ifdef CONFIG_AUDIT
unsigned audit_tty;
+ unsigned audit_tty_log_icanon;
struct tty_audit_buf *tty_audit_buf;
#endif
#ifdef CONFIG_CGROUPS
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9f096f1..a863669 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -369,7 +369,8 @@ struct audit_status {
};
struct audit_tty_status {
- __u32 enabled; /* 1 = enabled, 0 = disabled */
+ __u32 enabled;/* 1 = enabled, 0 = disabled */
+ __u32 log_icanon; /* 1 = enabled, 0 = disabled */
};
/* audit_rule_data supports filter rules with both integer and string
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..98d43c6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -873,6 +873,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
spin_lock_irq(tsk-sighand-siglock);
s.enabled = tsk-signal-audit_tty != 0;
+ s.log_icanon = tsk-signal-audit_tty_log_icanon != 0;
spin_unlock_irq(tsk-sighand-siglock);
audit_send_reply(NETLINK_CB(skb).portid, seq,
@@ -886,11 +887,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
if (nlh-nlmsg_len sizeof(struct audit_tty_status))
return -EINVAL;
s = data;
- if (s-enabled != 0 s-enabled != 1)
+ if (s-enabled != 0 s-enabled != 1
+s-log_icanon != 0 s-log_icanon != 1)
return -EINVAL;
spin_lock_irq(tsk-sighand-siglock);
tsk-signal-audit_tty = s-enabled != 0;
+ tsk-signal-audit_tty_log_icanon = s-log_icanon != 0;
spin_unlock_irq(tsk-sighand-siglock);
break;
}
--
1.7.1
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
On Fri, Mar 22, 2013 at 08:19:31AM +0100, Tomas Mraz wrote: On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote: Hi folks, There's been a couple of requests to add a switch to pam_tty_audit to *not* log passwords when logging user commands. Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of canonical mode per task. For the upstream inclusion of the pam_tty_audit patch you will need to add a detection of the new member of the struct audit_tty_status in the configure.in and #ifdef the code properly. The new option can be kept even in the case the new member is not available, but it should log a warning into the syslog with pam_syslog() when used. The documentation should reflect the fact that the option might not be available on old kernels as well. Tomas, Please have a look at this patch and see if this addresses the issues you raised: --- configure.in | 15 +++ modules/pam_tty_audit/Makefile.am |3 +++ modules/pam_tty_audit/pam_tty_audit.8.xml | 14 ++ modules/pam_tty_audit/pam_tty_audit.c | 23 ++- 4 files changed, 54 insertions(+), 1 deletions(-) diff --git a/configure.in b/configure.in index 515b301..c9c1c5f 100644 --- a/configure.in +++ b/configure.in @@ -386,6 +386,19 @@ if test x$WITH_LIBAUDIT != xno ; then fi if test ! -z $HAVE_AUDIT_TTY_STATUS ; then AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.]) + +AC_CHECK_MEMBER( +[struct audit_tty_status.log_icanon], +[ + HAVE_AUDIT_TTY_STATUS_LOG_ICANON=yes + AC_DEFINE([HAVE_AUDIT_TTY_STATUS_LOG_ICANON], 1, [Define to 1 if struct audit_tty_status.log_icanon exists.]) +], +[ + HAVE_AUDIT_TTY_STATUS_LOG_ICANON= + AC_MSG_WARN([The struct audit_tty_status.log_icanon member is needed for the log_icanon option. The log_icanon option is disabled.]) +], +[[#include libaudit.h]] +) fi else LIBAUDIT= @@ -393,6 +406,8 @@ fi AC_SUBST(LIBAUDIT) AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS], [test x$HAVE_AUDIT_TTY_STATUS = xyes]) +AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_ICANON], + [test x$HAVE_AUDIT_TTY_STATUS_LOG_ICANON = xyes]) AC_CHECK_HEADERS(xcrypt.h crypt.h) AS_IF([test x$ac_cv_header_xcrypt_h = xyes], diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am index 6378483..b67d2e5 100644 --- a/modules/pam_tty_audit/Makefile.am +++ b/modules/pam_tty_audit/Makefile.am @@ -16,6 +16,9 @@ XMLS = README.xml pam_tty_audit.8.xml securelibdir = $(SECUREDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +if HAVE_AUDIT_TTY_STATUS_LOG_ICANON + AM_CFLAGS += -DHAVE_AUDIT_TTY_STATUS_LOG_ICANON +endif AM_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 447b845..f451f45 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -77,6 +77,18 @@ /para /listitem /varlistentry + varlistentry +term + optionlog_icanon/option +/term +listitem + para + Log keystrokes in ICANON mode. By default, keystrokes in ICANON + mode are not logged to avoid logging passwords. This option may not + be available on older kernels (3.9?). + /para +/listitem + /varlistentry /variablelist /refsect1 @@ -161,6 +173,8 @@ session required pam_tty_audit.so disable=* enable=root para pam_tty_audit was written by Miloslav Trmaccaron; lt;m...@redhat.comgt;. +The log_icanon option was added by Richard Guy Briggs +lt;r...@redhat.comgt;. /para /refsect1 diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 080f495..7be914b 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char
Re: pam_tty_audit icanon log switch
On Thu, Apr 18, 2013 at 04:07:08PM -0400, Richard Guy Briggs wrote:
On Thu, Apr 18, 2013 at 03:31:36PM -0400, Miloslav Trmač wrote:
Hello,
- Original Message -
Full replacement patch:
I'm still convinced that icanon is not the correct condition, see
https://www.redhat.com/archives/linux-audit/2013-March/msg00052.html .
That's a seperate issue. :)
I'll come back to that...
Ok, thank you for bringing me back to that. And thank you for the test
case suggestions. You are correct, !echo is needed too. I've added it
back.
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9f096f1..a863669 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -369,7 +369,8 @@ struct audit_status {
};
struct audit_tty_status {
- __u32 enabled; /* 1 = enabled, 0 = disabled */
+ __u32 enabled;/* 1 = enabled, 0 = disabled */
+ __u32 log_icanon; /* 1 = enabled, 0 = disabled */
};
Also, would it make sense for the user-space API to be more general
about expressing the intent (log passwords)? I don't know, being
precise about the exact effect of the option is also beneficial.
Hmmm, I'll have to ponder that...
I am inclined to leave it named as is for precision. The reason for the
option is covered in the manpage. Can you suggest a better wording for
the manpage if you don't think it is clear enough? A comment in the
source code wouldn't hurt though, now that you mention it.
Mirek
- RGB
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
On Thu, Apr 11, 2013 at 04:43:45PM -0400, Eric Paris wrote:
- Original Message -
Hi folks,
There's been a couple of requests to add a switch to pam_tty_audit to
*not* log passwords when logging user commands.
Here are two patches, the first to pam to add the switch to
the pam_tty_audit module. The second is to the kernel to add the
necessary bits in audit and tty:
Patches as attachments are little harder to comment on. So inline preferred.
I agree. I wasn't sure of the best way to present both userspace and
kernel patches in the same email so that any automatic patcher won't get
confused. In this case, since it is an RFC, it isn't as critical, so
convenience for commenting overrides.
(more inline below)
From 110971ad92ce8669f6dc18db9e6369e92afdd03e Mon Sep 17 00:00:00 2001
From: Richard Guy Briggs r...@redhat.com
Date: Thu, 21 Mar 2013 00:52:37 -0400
Subject: [PATCH] tty: add an option to control logging of passwords with
pam_tty_audit
To: linux-audit@redhat.com
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode to do this. This feature (icanon) can be used to avoid logging
passwords by audit while still logging the rest of the command.
Adding a member to the struct audit_tty_status passed in by pam_tty_audit
allows control of canonical mode per task.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
drivers/tty/tty_audit.c|8
include/linux/sched.h |1 +
include/uapi/linux/audit.h |3 ++-
kernel/audit.c |5 -
4 files changed, 15 insertions(+), 2 deletions(-)
[snip]
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -369,7 +369,8 @@ struct audit_status {
};
struct audit_tty_status {
- __u32 enabled; /* 1 = enabled, 0 = disabled */
+ __u32 enabled;/* 1 = enabled, 0 = disabled */
+ __u32 log_icanon; /* 1 = enabled, 0 = disabled */
};
/* audit_rule_data supports filter rules with both integer and string
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..98d43c6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -873,6 +873,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
spin_lock_irq(tsk-sighand-siglock);
s.enabled = tsk-signal-audit_tty != 0;
+ s.log_icanon = tsk-signal-audit_tty_log_icanon != 0;
spin_unlock_irq(tsk-sighand-siglock);
audit_send_reply(NETLINK_CB(skb).portid, seq,
@@ -886,11 +887,13 @@ static int audit_receive_msg(struct sk_buff *skb,
struct nlmsghdr *nlh)
if (nlh-nlmsg_len sizeof(struct audit_tty_status))
return -EINVAL;
s = data;
what happens if this comes from an old pam stack that didn't set/send
log_icanon? We'd just be reading past the end of the allocation, right?
Maybe something like
unsigned log_icanon
if (nlmsg_len(nlh) sizeof(struct audit_tty_status))
log_icanon = 0;
else
log_icanon = s-log_icanon
Good point. In fact it is more complicated than that. The previous
statement takes care of that, simply bouncing the request, so no danger
of reading past the allocation. The request could in fact be legal for
the previous version of userspace and it would not get to this point,
and would simply exit with -EINVAL, failing on what would have
previously been fine. It could try and see if it matches the length of
the previous version of the struct and behave accordingly, but that is
a messy kludge. Is it time to bump an audit API version number (I don't
find one.)?
- if (s-enabled != 0 s-enabled != 1)
+ if (s-enabled != 0 s-enabled != 1
+ s-log_icanon != 0 s-log_icanon != 1)
Shouldn't this be
if ((s-enabled != 0 s-enabled != 1) || log_icanon != 0 log_icanon !=
1))
Missing a paren, but yes, you are correct. Thank you:
if ((s-enabled != 0 s-enabled != 1) || (log_icanon != 0 log_icanon !=
1))
return -EINVAL;
spin_lock_irq(tsk-sighand-siglock);
tsk-signal-audit_tty = s-enabled != 0;
+ tsk-signal-audit_tty_log_icanon = s-log_icanon != 0;
spin_unlock_irq(tsk-sighand-siglock);
break;
}
--
1.7.1
Here's an incremental diff, full replacement patch below that:
8=
diff --git a/kernel/audit.c b/kernel/audit.c
index 98d43c6..89b9b9c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -883,17 +883,28 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
case AUDIT_TTY_SET: {
struct audit_tty_status *s;
struct task_struct *tsk = current;
+ struct audit_tty_status_old {
+
Re: pam_tty_audit icanon log switch
Hello,
- Original Message -
Full replacement patch:
I'm still convinced that icanon is not the correct condition, see
https://www.redhat.com/archives/linux-audit/2013-March/msg00052.html .
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9f096f1..a863669 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -369,7 +369,8 @@ struct audit_status {
};
struct audit_tty_status {
- __u32 enabled; /* 1 = enabled, 0 = disabled */
+ __u32 enabled;/* 1 = enabled, 0 = disabled */
+ __u32 log_icanon; /* 1 = enabled, 0 = disabled */
};
Also, would it make sense for the user-space API to be more general about
expressing the intent (log passwords)? I don't know, being precise about the
exact effect of the option is also beneficial.
Mirek
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
On Thu, Apr 18, 2013 at 03:31:36PM -0400, Miloslav Trmač wrote:
Hello,
- Original Message -
Full replacement patch:
I'm still convinced that icanon is not the correct condition, see
https://www.redhat.com/archives/linux-audit/2013-March/msg00052.html .
That's a seperate issue. :)
I'll come back to that...
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9f096f1..a863669 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -369,7 +369,8 @@ struct audit_status {
};
struct audit_tty_status {
- __u32 enabled; /* 1 = enabled, 0 = disabled */
+ __u32 enabled;/* 1 = enabled, 0 = disabled */
+ __u32 log_icanon; /* 1 = enabled, 0 = disabled */
};
Also, would it make sense for the user-space API to be more general
about expressing the intent (log passwords)? I don't know, being
precise about the exact effect of the option is also beneficial.
Hmmm, I'll have to ponder that...
Mirek
- RGB
--
Richard Guy Briggs rbri...@redhat.com
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
- Original Message -
Hi folks,
There's been a couple of requests to add a switch to pam_tty_audit to
*not* log passwords when logging user commands.
Here are two patches, the first to pam to add the switch to
the pam_tty_audit module. The second is to the kernel to add the
necessary bits in audit and tty:
Patches as attachments are little harder to comment on. So inline preferred.
From 110971ad92ce8669f6dc18db9e6369e92afdd03e Mon Sep 17 00:00:00 2001
From: Richard Guy Briggs r...@redhat.com
Date: Thu, 21 Mar 2013 00:52:37 -0400
Subject: [PATCH] tty: add an option to control logging of passwords with
pam_tty_audit
To: linux-audit@redhat.com
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode to do this. This feature (icanon) can be used to avoid logging
passwords by audit while still logging the rest of the command.
Adding a member to the struct audit_tty_status passed in by pam_tty_audit
allows control of canonical mode per task.
Signed-off-by: Richard Guy Briggs r...@redhat.com
---
drivers/tty/tty_audit.c|8
include/linux/sched.h |1 +
include/uapi/linux/audit.h |3 ++-
kernel/audit.c |5 -
4 files changed, 15 insertions(+), 2 deletions(-)
[snip]
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -369,7 +369,8 @@ struct audit_status {
};
struct audit_tty_status {
- __u32 enabled; /* 1 = enabled, 0 = disabled */
+ __u32 enabled;/* 1 = enabled, 0 = disabled */
+ __u32 log_icanon; /* 1 = enabled, 0 = disabled */
};
/* audit_rule_data supports filter rules with both integer and string
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..98d43c6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -873,6 +873,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
spin_lock_irq(tsk-sighand-siglock);
s.enabled = tsk-signal-audit_tty != 0;
+ s.log_icanon = tsk-signal-audit_tty_log_icanon != 0;
spin_unlock_irq(tsk-sighand-siglock);
audit_send_reply(NETLINK_CB(skb).portid, seq,
@@ -886,11 +887,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
if (nlh-nlmsg_len sizeof(struct audit_tty_status))
return -EINVAL;
s = data;
what happens if this comes from an old pam stack that didn't set/send
log_icanon? We'd just be reading past the end of the allocation, right? Maybe
something like
unsigned log_icanon
if (nlmsg_len(nlh) sizeof(struct audit_tty_status))
log_icanon = 0;
else
log_icanon = s-log_icanon
- if (s-enabled != 0 s-enabled != 1)
+ if (s-enabled != 0 s-enabled != 1
+s-log_icanon != 0 s-log_icanon != 1)
Shouldn't this be
if ((s-enabled != 0 s-enabled != 1) || log_icanon != 0 log_icanon != 1))
return -EINVAL;
spin_lock_irq(tsk-sighand-siglock);
tsk-signal-audit_tty = s-enabled != 0;
+ tsk-signal-audit_tty_log_icanon = s-log_icanon != 0;
spin_unlock_irq(tsk-sighand-siglock);
break;
}
--
1.7.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote: Hi folks, There's been a couple of requests to add a switch to pam_tty_audit to *not* log passwords when logging user commands. Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of canonical mode per task. For the upstream inclusion of the pam_tty_audit patch you will need to add a detection of the new member of the struct audit_tty_status in the configure.in and #ifdef the code properly. The new option can be kept even in the case the new member is not available, but it should log a warning into the syslog with pam_syslog() when used. The documentation should reflect the fact that the option might not be available on old kernels as well. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: pam_tty_audit icanon log switch
- Original Message - Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode to do this. This feature (icanon) can be used to avoid logging passwords by audit while still logging the rest of the command. There was an earlier discussion about the correctness of using ICANON for this. Is ICANON really the right variable? AFAICT the seeings are used like this: (cat) and other programs that just take standard input: ICANON ECHO (bash), (vi) and other interactive programs: !ICANON !ECHO password prompts: ICANON !ECHO and we want to exclude only password prompts. Mirk -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
