From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Mraz Subject: Re: pam_tty_audit icanon log switch Date: Fri, 22 Mar 2013 08:19:31 +0100 Message-ID: <1363936771.12964.103.camel@vespa.frost.loc> References: <20130322054636.GA18911@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20130322054636.GA18911@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: Linux-Audit Mailing List List-Id: linux-audit@redhat.com On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote: > Hi folks, > > There's been a couple of requests to add a switch to pam_tty_audit to > *not* log passwords when logging user commands. > > Most commands are entered one line at a time and processed as complete > lines in non-canonical mode. Commands that interactively require a > password, enter canonical mode to do this. This feature (icanon) can be > used to avoid logging passwords by audit while still logging the rest of > the command. > > Adding a member to the struct audit_tty_status passed in by > pam_tty_audit allows control of canonical mode per task. > For the upstream inclusion of the pam_tty_audit patch you will need to add a detection of the new member of the struct audit_tty_status in the configure.in and #ifdef the code properly. The new option can be kept even in the case the new member is not available, but it should log a warning into the syslog with pam_syslog() when used. The documentation should reflect the fact that the option might not be available on old kernels as well. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb