From: Richard Guy Briggs <rgb@redhat.com>
To: Tomas Mraz <tmraz@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: pam_tty_audit icanon log switch
Date: Fri, 26 Apr 2013 13:42:13 -0400 [thread overview]
Message-ID: <20130426174213.GE6907@madcap2.tricolour.ca> (raw)
In-Reply-To: <1363936771.12964.103.camel@vespa.frost.loc>
On Fri, Mar 22, 2013 at 08:19:31AM +0100, Tomas Mraz wrote:
> On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote:
> > Hi folks,
> >
> > There's been a couple of requests to add a switch to pam_tty_audit to
> > *not* log passwords when logging user commands.
> >
> > Most commands are entered one line at a time and processed as complete
> > lines in non-canonical mode. Commands that interactively require a
> > password, enter canonical mode to do this. This feature (icanon) can be
> > used to avoid logging passwords by audit while still logging the rest of
> > the command.
> >
> > Adding a member to the struct audit_tty_status passed in by
> > pam_tty_audit allows control of canonical mode per task.
> >
>
> For the upstream inclusion of the pam_tty_audit patch you will need to
> add a detection of the new member of the struct audit_tty_status in the
> configure.in and #ifdef the code properly. The new option can be kept
> even in the case the new member is not available, but it should log a
> warning into the syslog with pam_syslog() when used. The documentation
> should reflect the fact that the option might not be available on old
> kernels as well.
Tomas,
Please have a look at this patch and see if this addresses the issues
you raised:
---
configure.in | 15 +++++++++++++++
modules/pam_tty_audit/Makefile.am | 3 +++
modules/pam_tty_audit/pam_tty_audit.8.xml | 14 ++++++++++++++
modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++-
4 files changed, 54 insertions(+), 1 deletions(-)
diff --git a/configure.in b/configure.in
index 515b301..c9c1c5f 100644
--- a/configure.in
+++ b/configure.in
@@ -386,6 +386,19 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBER(
+ [struct audit_tty_status.log_icanon],
+ [
+ HAVE_AUDIT_TTY_STATUS_LOG_ICANON=yes
+ AC_DEFINE([HAVE_AUDIT_TTY_STATUS_LOG_ICANON], 1, [Define to 1 if struct audit_tty_status.log_icanon exists.])
+ ],
+ [
+ HAVE_AUDIT_TTY_STATUS_LOG_ICANON=""
+ AC_MSG_WARN([The struct audit_tty_status.log_icanon member is needed for the log_icanon option. The log_icanon option is disabled.])
+ ],
+ [[#include <libaudit.h>]]
+ )
fi
else
LIBAUDIT=""
@@ -393,6 +406,8 @@ fi
AC_SUBST(LIBAUDIT)
AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
[test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_ICANON],
+ [test "x$HAVE_AUDIT_TTY_STATUS_LOG_ICANON" = xyes])
AC_CHECK_HEADERS(xcrypt.h crypt.h)
AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am
index 6378483..b67d2e5 100644
--- a/modules/pam_tty_audit/Makefile.am
+++ b/modules/pam_tty_audit/Makefile.am
@@ -16,6 +16,9 @@ XMLS = README.xml pam_tty_audit.8.xml
securelibdir = $(SECUREDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+if HAVE_AUDIT_TTY_STATUS_LOG_ICANON
+ AM_CFLAGS += -DHAVE_AUDIT_TTY_STATUS_LOG_ICANON
+endif
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 447b845..f451f45 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -77,6 +77,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_icanon</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes in ICANON mode. By default, keystrokes in ICANON
+ mode are not logged to avoid logging passwords. This option may not
+ be available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +173,8 @@ session required pam_tty_audit.so disable=* enable=root
<para>
pam_tty_audit was written by Miloslav Trmač
<mitr@redhat.com>.
+ The log_icanon option was added by Richard Guy Briggs
+ <rgb@redhat.com>.
</para>
</refsect1>
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index 080f495..7be914b 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_ICANON
+ int log_icanon;
+#endif
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_ICANON
+ log_icanon = 0;
+#endif
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_icanon") == 0)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_ICANON
+ log_icanon = 1;
+#else
+ pam_syslog (pamh, LOG_WARNING,
+ "pam_tty_audit: The log_icanon option was not available at compile time.");
+#warning "pam_tty_audit: The log_icanon option is not available. Please upgrade your kernel."
+#endif
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_ICANON
+ new_status.log_icanon = log_icanon;
+#endif
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_ICANON
+ && old_status->log_icanon == new_status.log_icanon
+#endif
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;
--
1.7.1
> Tomas Mraz
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
next prev parent reply other threads:[~2013-04-26 17:42 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-22 5:46 pam_tty_audit icanon log switch Richard Guy Briggs
2013-03-22 7:19 ` Tomas Mraz
2013-04-26 17:42 ` Richard Guy Briggs [this message]
2013-04-29 7:14 ` Tomas Mraz
2013-03-22 16:05 ` Miloslav Trmac
2013-04-11 20:43 ` Eric Paris
2013-04-18 19:14 ` Richard Guy Briggs
2013-04-18 19:31 ` Miloslav Trmač
2013-04-18 20:07 ` Richard Guy Briggs
2013-04-22 17:16 ` Richard Guy Briggs
2013-04-22 17:28 ` Miloslav Trmač
2013-04-22 18:29 ` Richard Guy Briggs
2013-04-26 17:23 ` Richard Guy Briggs
2013-04-26 17:37 ` Richard Guy Briggs
2013-04-29 21:02 ` Miloslav Trmač
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130426174213.GE6907@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=tmraz@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox