From: Miloslav Trmac <mitr@redhat.com>
To: dwmw2@infradead.org
Cc: linux-kernel@vger.kernel.org, Alan Cox <alan@redhat.com>,
Steve Grubb <sgrubb@redhat.com>,
Alexander Viro <aviro@redhat.com>
Subject: [PATCH] Audit: Add TTY input auditing
Date: Wed, 06 Jun 2007 11:49:33 +0200 [thread overview]
Message-ID: <4666832D.8080603@redhat.com> (raw)
From: Miloslav Trmac <mitr@redhat.com>
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless audit events.
Add an "audit_tty" attribute, inherited across fork (). Data read from
TTYs by process with the attribute is sent to the audit subsystem by the
kernel. The audit netlink interface is extended to allow modifying the
audit_tty attribute, and to allow sending explanatory audit events from
user-space (for example, a shell might send an event containing the
final command, after the interactive command-line editing and history
expansion is performed, which might be difficult to decipher from the
TTY input alone).
Because the "audit_tty" attribute is inherited across fork (), it would
be set e.g. for sshd restarted within an audited session. To prevent
this, the audit_tty attribute is cleared when a process with no open TTY
file descriptors (e.g. after daemon startup) opens a TTY.
See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
for a more detailed rationale document for an older version of this patch.
next reply other threads:[~2007-06-06 9:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-06 9:49 Miloslav Trmac [this message]
2007-06-06 10:10 ` [PATCH] Audit: Add TTY input auditing Miloslav Trmac
2007-06-07 0:41 ` Andrew Morton
2007-06-07 10:10 ` Alan Cox
2007-06-07 14:20 ` Miloslav Trmac
2007-06-07 21:59 ` Alan Cox
2007-06-08 4:18 ` Miloslav Trmac
2007-06-08 4:23 ` [PATCH, v2] " Miloslav Trmac
2007-06-08 6:31 ` Andrew Morton
2007-06-08 16:00 ` Miloslav Trmac
2007-06-07 8:13 ` [PATCH] " Jan Engelhardt
2007-06-07 10:50 ` Steve Grubb
2007-06-07 15:42 ` Casey Schaufler
2007-06-07 15:52 ` Alan Cox
2007-06-07 16:31 ` Steve Grubb
2007-06-07 17:33 ` Casey Schaufler
2007-06-07 19:28 ` Miloslav Trmac
2007-06-07 21:09 ` Jan Engelhardt
2007-06-07 22:32 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4666832D.8080603@redhat.com \
--to=mitr@redhat.com \
--cc=alan@redhat.com \
--cc=aviro@redhat.com \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox