Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs <rgb@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]

On Tue, Mar 12, 2013 at 02:09:37PM -0700, Tracy Reed wrote:
> On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly:
> > I'm actually working on that right now.  I have a patch I am in the
> > process of testing.  It implements a new sysctl.  I'm working in
> > the upstream kernel, so it will likely be available in Linus' git tree
> > before anywhere else.  After that, likely fedora, then RHEL, but I'm a
> > bit new to that process.
> 
> Wow, thanks! Always glad to see good security features/auditing being added to
> the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
> all be done in auditd in userspace. I look forward to reading over the code to
> learn what into this.

The necessary hooks are in the tty driver in the kernel.  Control bits
could be managed by audit in userspace, but would still need kernel
intervention.

> Please do post the patch here when you have it worked out as I am very likely
> to miss it in the flood of kernel patches when it goes to/from Linus.

Here you go.  Given Steve's good question, this control method may
change.

> Thanks again!

No worries, glad to be of service.

> Tracy Reed

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635

[-- Attachment #2: 0001-tty-add-a-sysctl-switch-to-avoid-logging-passwords-w.patch --]
[-- Type: text/plain, Size: 3542 bytes --]

>From 1c67c13117d3e44036a890664f7aec413a392545 Mon Sep 17 00:00:00 2001
From: Richard Guy Briggs <rgb@redhat.com>
Date: Wed, 13 Mar 2013 11:31:59 -0400
Subject: [PATCH] tty: add a sysctl switch to avoid logging passwords with audit
To: linux-audit@redhat.com

Most commands are entered one line at a time and processed as complete lines
in non-canonical mode.  Commands that interactively require a password, enter
canonical mode to do this.  This feature (icanon) can be used to avoid logging
passwords by audit while still logging the rest of the command.

The sysctl is /proc/sys/kernel/tty/audit_log_icanon with a default value of 0
to not log passwords.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 drivers/tty/tty_audit.c |   45 +++++++++++++++++++++++++++++++++++++++++++++
 drivers/tty/tty_io.c    |    2 ++
 include/linux/tty.h     |    4 ++++
 3 files changed, 51 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6953dc8..689f8d8 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -22,6 +22,49 @@ struct tty_audit_buf {
 	unsigned char *data;	/* Allocated size N_TTY_BUF_SIZE */
 };
 
+int tty_audit_log_icanon = 0;
+static int tty_audit_log_icanon_limit_min;
+static int tty_audit_log_icanon_limit_max = INT_MAX; //1?
+
+static struct ctl_table tty_table[] = {
+	{
+		.procname	= "audit_log_icanon",
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.data		= &tty_audit_log_icanon,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= &tty_audit_log_icanon_limit_min,
+		.extra2		= &tty_audit_log_icanon_limit_max,
+	},
+	{}
+};
+
+static struct ctl_table tty_kern_table[] = {
+	{
+		.procname	= "tty",
+		.mode		= 0555,
+		.child		= tty_table,
+	},
+	{}
+};
+
+static struct ctl_table tty_root_table[] = {
+	{
+		.procname	= "kernel",
+		.mode		= 0555,
+		.child		= tty_kern_table,
+	},
+	{}
+};
+
+void tty_audit_sysctl_register(void)
+{
+	struct ctl_table_header *table;
+
+	table = register_sysctl_table(tty_root_table);
+	// if error, unregister_sysctl_table(table);
+}
+
 static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor,
 						 unsigned icanon)
 {
@@ -296,6 +339,8 @@ void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
 	if (unlikely(size == 0))
 		return;
 
+	if (!tty_audit_log_icanon && icanon) return;
+
 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY
 	    && tty->driver->subtype == PTY_TYPE_MASTER)
 		return;
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 05400ac..72ce653 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -3495,6 +3495,8 @@ int __init tty_init(void)
 	else
 		WARN_ON(device_create_file(consdev, &dev_attr_active) < 0);
 
+	tty_audit_sysctl_register();
+
 #ifdef CONFIG_VT
 	vty_init(&console_fops);
 #endif
diff --git a/include/linux/tty.h b/include/linux/tty.h
index c75d886..2710abe 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -544,6 +544,7 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
 extern void tty_audit_push(struct tty_struct *tty);
 extern int tty_audit_push_task(struct task_struct *tsk,
 			       kuid_t loginuid, u32 sessionid);
+extern void tty_audit_sysctl_register(void);
 #else
 static inline void tty_audit_add_data(struct tty_struct *tty,
 		unsigned char *data, size_t size, unsigned icanon)
@@ -566,6 +567,9 @@ static inline int tty_audit_push_task(struct task_struct *tsk,
 {
 	return 0;
 }
+static inline tty_audit_sysctl_register(void)
+{
+}
 #endif
 
 /* tty_ioctl.c */
-- 
1.7.1


[-- Attachment #3: Type: text/plain, Size: 0 bytes --]