PCI-DSS: Log every root actions/keystrokes but avoid passwords
Richard Guy Briggs
rgb at redhat.com
Wed Mar 13 16:26:56 UTC 2013
On Tue, Mar 12, 2013 at 02:09:37PM -0700, Tracy Reed wrote:
> On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly:
> > I'm actually working on that right now. I have a patch I am in the
> > process of testing. It implements a new sysctl. I'm working in
> > the upstream kernel, so it will likely be available in Linus' git tree
> > before anywhere else. After that, likely fedora, then RHEL, but I'm a
> > bit new to that process.
>
> Wow, thanks! Always glad to see good security features/auditing being added to
> the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
> all be done in auditd in userspace. I look forward to reading over the code to
> learn what into this.
The necessary hooks are in the tty driver in the kernel. Control bits
could be managed by audit in userspace, but would still need kernel
intervention.
> Please do post the patch here when you have it worked out as I am very likely
> to miss it in the flood of kernel patches when it goes to/from Linus.
Here you go. Given Steve's good question, this control method may
change.
> Thanks again!
No worries, glad to be of service.
> Tracy Reed
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
-------------- next part --------------
>From 1c67c13117d3e44036a890664f7aec413a392545 Mon Sep 17 00:00:00 2001
From: Richard Guy Briggs <rgb at redhat.com>
Date: Wed, 13 Mar 2013 11:31:59 -0400
Subject: [PATCH] tty: add a sysctl switch to avoid logging passwords with audit
To: linux-audit at redhat.com
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode to do this. This feature (icanon) can be used to avoid logging
passwords by audit while still logging the rest of the command.
The sysctl is /proc/sys/kernel/tty/audit_log_icanon with a default value of 0
to not log passwords.
Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---
drivers/tty/tty_audit.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
drivers/tty/tty_io.c | 2 ++
include/linux/tty.h | 4 ++++
3 files changed, 51 insertions(+), 0 deletions(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6953dc8..689f8d8 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -22,6 +22,49 @@ struct tty_audit_buf {
unsigned char *data; /* Allocated size N_TTY_BUF_SIZE */
};
+int tty_audit_log_icanon = 0;
+static int tty_audit_log_icanon_limit_min;
+static int tty_audit_log_icanon_limit_max = INT_MAX; //1?
+
+static struct ctl_table tty_table[] = {
+ {
+ .procname = "audit_log_icanon",
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .data = &tty_audit_log_icanon,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &tty_audit_log_icanon_limit_min,
+ .extra2 = &tty_audit_log_icanon_limit_max,
+ },
+ {}
+};
+
+static struct ctl_table tty_kern_table[] = {
+ {
+ .procname = "tty",
+ .mode = 0555,
+ .child = tty_table,
+ },
+ {}
+};
+
+static struct ctl_table tty_root_table[] = {
+ {
+ .procname = "kernel",
+ .mode = 0555,
+ .child = tty_kern_table,
+ },
+ {}
+};
+
+void tty_audit_sysctl_register(void)
+{
+ struct ctl_table_header *table;
+
+ table = register_sysctl_table(tty_root_table);
+ // if error, unregister_sysctl_table(table);
+}
+
static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor,
unsigned icanon)
{
@@ -296,6 +339,8 @@ void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
if (unlikely(size == 0))
return;
+ if (!tty_audit_log_icanon && icanon) return;
+
if (tty->driver->type == TTY_DRIVER_TYPE_PTY
&& tty->driver->subtype == PTY_TYPE_MASTER)
return;
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 05400ac..72ce653 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -3495,6 +3495,8 @@ int __init tty_init(void)
else
WARN_ON(device_create_file(consdev, &dev_attr_active) < 0);
+ tty_audit_sysctl_register();
+
#ifdef CONFIG_VT
vty_init(&console_fops);
#endif
diff --git a/include/linux/tty.h b/include/linux/tty.h
index c75d886..2710abe 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -544,6 +544,7 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
extern void tty_audit_push(struct tty_struct *tty);
extern int tty_audit_push_task(struct task_struct *tsk,
kuid_t loginuid, u32 sessionid);
+extern void tty_audit_sysctl_register(void);
#else
static inline void tty_audit_add_data(struct tty_struct *tty,
unsigned char *data, size_t size, unsigned icanon)
@@ -566,6 +567,9 @@ static inline int tty_audit_push_task(struct task_struct *tsk,
{
return 0;
}
+static inline tty_audit_sysctl_register(void)
+{
+}
#endif
/* tty_ioctl.c */
--
1.7.1
More information about the Linux-audit
mailing list