pam_tty_audit icanon log switch
Tomas Mraz
tmraz at redhat.com
Fri Mar 22 07:19:31 UTC 2013
On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote:
> Hi folks,
>
> There's been a couple of requests to add a switch to pam_tty_audit to
> *not* log passwords when logging user commands.
>
> Most commands are entered one line at a time and processed as complete
> lines in non-canonical mode. Commands that interactively require a
> password, enter canonical mode to do this. This feature (icanon) can be
> used to avoid logging passwords by audit while still logging the rest of
> the command.
>
> Adding a member to the struct audit_tty_status passed in by
> pam_tty_audit allows control of canonical mode per task.
>
For the upstream inclusion of the pam_tty_audit patch you will need to
add a detection of the new member of the struct audit_tty_status in the
configure.in and #ifdef the code properly. The new option can be kept
even in the case the new member is not available, but it should log a
warning into the syslog with pam_syslog() when used. The documentation
should reflect the fact that the option might not be available on old
kernels as well.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Linux-audit
mailing list