pam_tty_audit icanon log switch
Tomas Mraz
tmraz at redhat.com
Mon Apr 29 07:14:18 UTC 2013
On Fri, 2013-04-26 at 13:42 -0400, Richard Guy Briggs wrote:
> On Fri, Mar 22, 2013 at 08:19:31AM +0100, Tomas Mraz wrote:
> > On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote:
> > > Hi folks,
> > >
> > > There's been a couple of requests to add a switch to pam_tty_audit to
> > > *not* log passwords when logging user commands.
> > >
> > > Most commands are entered one line at a time and processed as complete
> > > lines in non-canonical mode. Commands that interactively require a
> > > password, enter canonical mode to do this. This feature (icanon) can be
> > > used to avoid logging passwords by audit while still logging the rest of
> > > the command.
> > >
> > > Adding a member to the struct audit_tty_status passed in by
> > > pam_tty_audit allows control of canonical mode per task.
> > >
> >
> > For the upstream inclusion of the pam_tty_audit patch you will need to
> > add a detection of the new member of the struct audit_tty_status in the
> > configure.in and #ifdef the code properly. The new option can be kept
> > even in the case the new member is not available, but it should log a
> > warning into the syslog with pam_syslog() when used. The documentation
> > should reflect the fact that the option might not be available on old
> > kernels as well.
>
> Tomas,
>
> Please have a look at this patch and see if this addresses the issues
> you raised:
Yes, this is fine and can be submitted to Linux-PAM upstream for review
once the whole patch is final.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Linux-audit
mailing list