June 2013 - Linux-audit - Linux-Audit List Archives

[PATCH 2/3] integrity: move integrity_audit_msg()

by Mimi Zohar

This patch moves the integrity_audit_msg() function and defintion to security/integrity/, the parent directory, renames the 'ima_audit' boot command line option to 'integrity_audit', and fixes the Kconfig help text to reflect the actual code. Changelog: - Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu) Signed-off-by: Mimi Zohar <zohar(a)linux.vnet.ibm.com> --- Documentation/kernel-parameters.txt | 10 +++--- security/integrity/Kconfig | 15 +++++++++ security/integrity/Makefile | 1 + security/integrity/ima/Kconfig | 12 ------- security/integrity/ima/Makefile | 1 - security/integrity/ima/ima.h | 14 -------- security/integrity/ima/ima_audit.c | 64 ------------------------------------ security/integrity/integrity.h | 14 ++++++++ security/integrity/integrity_audit.c | 64 ++++++++++++++++++++++++++++++++++++ 9 files changed, 99 insertions(+), 96 deletions(-) delete mode 100644 security/integrity/ima/ima_audit.c create mode 100644 security/integrity/integrity_audit.c diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index c3bfacb..cb5daa1 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -1129,11 +1129,6 @@ bytes respectively. Such letter suffixes can also be entirely omitted. The builtin appraise policy appraises all files owned by uid=0. - ima_audit= [IMA] - Format: { "0" | "1" } - 0 -- integrity auditing messages. (Default) - 1 -- enable informational integrity auditing messages. - ima_hash= [IMA] Format: { "sha1" | "md5" } default: "sha1" @@ -1158,6 +1153,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. inport.irq= [HW] Inport (ATI XL and Microsoft) busmouse driver Format: <irq> + integrity_audit=[IMA] + Format: { "0" | "1" } + 0 -- basic integrity auditing messages. (Default) + 1 -- additional integrity auditing messages. + intel_iommu= [DMAR] Intel IOMMU driver (DMAR) option on Enable intel iommu driver. diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 4bb3a77..245c6d9 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -17,6 +17,21 @@ config INTEGRITY_SIGNATURE This is useful for evm and module keyrings, when keys are usually only added from initramfs. +config INTEGRITY_AUDIT + bool "Enables integrity auditing support " + depends on INTEGRITY && AUDIT + default y + help + In addition to enabling integrity auditing support, this + option adds a kernel parameter 'integrity_audit', which + controls the level of integrity auditing messages. + 0 - basic integrity auditing messages (default) + 1 - additional integrity auditing messages + + Additional informational integrity auditing messages would + be enabled by specifying 'integrity_audit=1' on the kernel + command line. + config INTEGRITY_ASYMMETRIC_KEYS boolean "Enable asymmetric keys support" depends on INTEGRITY_SIGNATURE diff --git a/security/integrity/Makefile b/security/integrity/Makefile index ebb6409..0f9cffb 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -3,6 +3,7 @@ # obj-$(CONFIG_INTEGRITY) += integrity.o +obj-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o obj-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index d232c73..39196ab 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -38,18 +38,6 @@ config IMA_MEASURE_PCR_IDX that IMA uses to maintain the integrity aggregate of the measurement list. If unsure, use the default 10. -config IMA_AUDIT - bool "Enables auditing support" - depends on IMA - depends on AUDIT - default y - help - This option adds a kernel parameter 'ima_audit', which - allows informational auditing messages to be enabled - at boot. If this option is selected, informational integrity - auditing messages can be enabled with 'ima_audit=1' on - the kernel command line. - config IMA_LSM_RULES bool depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index 3f2ca6b..56dfee7 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -7,5 +7,4 @@ obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ ima_policy.o -ima-$(CONFIG_IMA_AUDIT) += ima_audit.o ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index a41c9c1..b3dd616 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -62,20 +62,6 @@ struct ima_queue_entry { }; extern struct list_head ima_measurements; /* list of all measurements */ -#ifdef CONFIG_IMA_AUDIT -/* declarations */ -void integrity_audit_msg(int audit_msgno, struct inode *inode, - const unsigned char *fname, const char *op, - const char *cause, int result, int info); -#else -static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, - const unsigned char *fname, - const char *op, const char *cause, - int result, int info) -{ -} -#endif - /* Internal IMA function definitions */ int ima_init(void); void ima_cleanup(void); diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c deleted file mode 100644 index c586faa..0000000 --- a/security/integrity/ima/ima_audit.c +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (C) 2008 IBM Corporation - * Author: Mimi Zohar <zohar(a)us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2 of the License. - * - * File: integrity_audit.c - * Audit calls for the integrity subsystem - */ - -#include <linux/fs.h> -#include <linux/gfp.h> -#include <linux/audit.h> -#include "ima.h" - -static int ima_audit; - -/* ima_audit_setup - enable informational auditing messages */ -static int __init ima_audit_setup(char *str) -{ - unsigned long audit; - - if (!strict_strtoul(str, 0, &audit)) - ima_audit = audit ? 1 : 0; - return 1; -} -__setup("ima_audit=", ima_audit_setup); - -void integrity_audit_msg(int audit_msgno, struct inode *inode, - const unsigned char *fname, const char *op, - const char *cause, int result, int audit_info) -{ - struct audit_buffer *ab; - - if (!ima_audit && audit_info == 1) /* Skip informational messages */ - return; - - ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); - audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", - current->pid, - from_kuid(&init_user_ns, current_cred()->uid), - from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current)); - audit_log_task_context(ab); - audit_log_format(ab, " op="); - audit_log_string(ab, op); - audit_log_format(ab, " cause="); - audit_log_string(ab, cause); - audit_log_format(ab, " comm="); - audit_log_untrustedstring(ab, current->comm); - if (fname) { - audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, fname); - } - if (inode) { - audit_log_format(ab, " dev="); - audit_log_untrustedstring(ab, inode->i_sb->s_id); - audit_log_format(ab, " ino=%lu", inode->i_ino); - } - audit_log_format(ab, " res=%d", !result); - audit_log_end(ab); -} diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 84c37c4..c42fb7a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -113,5 +113,19 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig, } #endif +#ifdef CONFIG_INTEGRITY_AUDIT +/* declarations */ +void integrity_audit_msg(int audit_msgno, struct inode *inode, + const unsigned char *fname, const char *op, + const char *cause, int result, int info); +#else +static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, + const unsigned char *fname, + const char *op, const char *cause, + int result, int info) +{ +} +#endif + /* set during initialization */ extern int iint_initialized; diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c new file mode 100644 index 0000000..d7efb30 --- /dev/null +++ b/security/integrity/integrity_audit.c @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2008 IBM Corporation + * Author: Mimi Zohar <zohar(a)us.ibm.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + * File: integrity_audit.c + * Audit calls for the integrity subsystem + */ + +#include <linux/fs.h> +#include <linux/gfp.h> +#include <linux/audit.h> +#include "integrity.h" + +static int integrity_audit_info; + +/* ima_audit_setup - enable informational auditing messages */ +static int __init integrity_audit_setup(char *str) +{ + unsigned long audit; + + if (!strict_strtoul(str, 0, &audit)) + integrity_audit_info = audit ? 1 : 0; + return 1; +} +__setup("integrity_audit=", integrity_audit_setup); + +void integrity_audit_msg(int audit_msgno, struct inode *inode, + const unsigned char *fname, const char *op, + const char *cause, int result, int audit_info) +{ + struct audit_buffer *ab; + + if (!integrity_audit_info && audit_info == 1) /* Skip info messages */ + return; + + ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); + audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", + current->pid, + from_kuid(&init_user_ns, current_cred()->uid), + from_kuid(&init_user_ns, audit_get_loginuid(current)), + audit_get_sessionid(current)); + audit_log_task_context(ab); + audit_log_format(ab, " op="); + audit_log_string(ab, op); + audit_log_format(ab, " cause="); + audit_log_string(ab, cause); + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, current->comm); + if (fname) { + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, fname); + } + if (inode) { + audit_log_format(ab, " dev="); + audit_log_untrustedstring(ab, inode->i_sb->s_id); + audit_log_format(ab, " ino=%lu", inode->i_ino); + } + audit_log_format(ab, " res=%d", !result); + audit_log_end(ab); +} -- 1.8.1.4

11 years, 6 months

1
1
0 / 0

key options with spaces

by LC Bruzenak

I was playing with audit rules using keys with spaces. Is the following expected (ignore the logic; was just testing the returns)? # auditctl -l -k lsmod LIST_RULES: exit,always watch=/sbin/lsmod perm=x key=lsmod kernel LIST_RULES: exit,always watch=/bin/ping perm=x key=lsmod ping Thx, LCB -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

11 years, 6 months

2
3
0 / 0

Porting audit: implement generic feature setting and retrieving to Android kernel

by William Roberts

So I ported the initial "audit: implement generic feature setting and retrieving" to Android as well as rebased my patch ontop. Since I didn't author the original patch, I just wanted to keep you abreast of where it was going. https://android-review.googlesource.com/#/c/60880/ -- Respectfully, William C Roberts

11 years, 6 months

2
4
0 / 0

Problems in audit.rules.7

by esr＠thyrsus.com

This is automatically generated email about markup problems in a man page for which you appear to be responsible. If you are not the right person or list, please tell me so I can correct my database. See http://catb.org/~esr/doclifter/bugs.html for details on how and why these patches were generated. Feel free to email me with any questions. Note: These patches do not change the modification date of any manual page. You may wish to do that by hand. I apologize if this message seems spammy or impersonal. The volume of markup bugs I am tracking is over five hundred - there is no real alternative to generating bugmail from a database and template. -- Eric S. Raymond Problems with audit.rules.7: My records indicate that you have accepted this patch, so this is just a reminder. ".fi" request was omitted or typoed as ".if". --- audit.rules.7-unpatched 2012-07-01 21:40:03.766065285 -0400 +++ audit.rules.7 2012-07-01 21:40:12.134065126 -0400 @@ -13,8 +13,7 @@ .nf .B \-w path-to-file \-p permissions \-k keyname - -.if +.fi where the permission are any one of the following:

11 years, 6 months

1
0
0 / 0

Pam_tty_audit and passwords

by John C. A. Bambenek, GCIH, CISSP

When is approximate timeframe of that functionality to be available to suppress logging of passwords in an RH provided package? Thanks, J

11 years, 6 months

2
1
0 / 0

[PATCH RFC 00/48] Add namespace support for audit

by Gao feng

This patchset try to add namespace support for audit. I choose to assign audit to the user namespace. Right now,there are six kinds of namespaces, such as net, mount, ipc, pid, uts and user. the first five namespaces have special usage. the audit isn't suitable to belong to these five namespaces, so the user namespace may be the best choice. Through I decide to make audit related resources per user namespace, but audit uses netlink to communicate between kernel space and user space, and the netlink is a private resource of per net namespace. So we need the capability to allow the netlink sockets to communicate with each other in the same user namespace even they are in different net namespace. [PATCH 2/48] does this job, it adds a new function "compare" for per netlink table to compare two sockets. it means the netlink protocols can has its own compare fuction, For other protocols, two netlink sockets are different if they belong to the different net namespace. For audit protocol, two sockets can be the same even they in different net namespace,we use user namespace not net namespace to make the decision. There is one point that some people may dislike,in [PATCH 1/48], the kernel side audit netlink socket is created only when we create the first netns for the userns, and this userns will hold the netns until we destroy this userns. The other patches just make the audit related resources per user namespace. This patchset is sent as an RFC,any comments are welcome. Gao feng (48): Audit: make audit kernel side netlink sock per userns netlink: Add compare function for netlink_table Audit: implement audit self-defined compare function Audit: make audit_skb_queue per user namespace Audit: make audit_skb_hold_queue per user namespace Audit: make kauditd_task per user namespace Audit: make audit_pid per user namespace Audit: make audit_nlk_portid per user namesapce Audit: make audit_enabled per user namespace Audit: change type of audit_ever_enabled to bool Audit: make audit_ever_enabled per user namespace Audit: make audit_initialized per user namespace Audit: only allow init user namespace to change audit_rate_limit Audit: only allow init user namespace to change audit_failure Audit: allow to send netlink message to auditd in uninit user namespace Audit: user proper user namespace in audit_log_config_change Audit: make kauditd_wait per user namespace Audit: make audit_backlog_wait per user namespace Audit: remove duplicate comments Audit: introduce new audit logging interface for user namespace Audit: pass proper user namespace to audit_log_common_recv_msg Audit: Log audit config change in uninit user namespace Audit: netfilter: Log xt table replace behavior in proper user namespace Audit: xt_AUDIT: Log audit message in proper user namespace Audit: send reply message to the auditd in proper user namespace Audit: make audit_inode_hash per user namespace Audit: make tree_list per user namespace Audit: make audit filter list per user namespace Audit: make audit_krule belongs to user namespace Audit: reply audit filter list request to proper user namespace Audit: pass proper user namespace to audit_filter_syscall Audit: pass proper user namespace to audit_filter_inode_name Audit: Log filter related audit message to proper user namespace Log audit tree related message in proper user namespace Audit: Log task related audit message to proper user namespace Audit: Log watch related audit message to proper user namespace Audit: translate audit_log_start to audit_log_start_ns Audit: tty: translate audit_log_start to audit_log_start_ns Audit: netlabel: translate audit_log_start to audit_log_start_ns Audit: ima: translate audit_log_start to audit_log_start_ns Audit: lsm: translate audit_log_start to audit_log_start_ns Audit: selinux: translate audit_log_start to audit_log_start_ns Audit: xfrm: translate audit_log_start to audit_log_start_ns Audit: rename audit_log_start_ns to audit_log_start Audit: user audit_enabled_ns to replace audit_enabled Audit: rename audit_enabled_ns to audit_enabled Audit: make audit_log user namespace awared Audit: allow root user of un-init user namespace to set audit drivers/tty/tty_audit.c | 9 +- include/linux/audit.h | 44 ++-- include/linux/netlink.h | 1 + include/linux/user_namespace.h | 25 +++ include/net/xfrm.h | 7 +- kernel/audit.c | 393 +++++++++++++++++++++--------------- kernel/audit.h | 24 +-- kernel/audit_tree.c | 49 ++--- kernel/audit_watch.c | 23 ++- kernel/auditfilter.c | 76 +++---- kernel/auditsc.c | 156 ++++++++------ kernel/user.c | 19 ++ kernel/user_namespace.c | 3 + net/core/dev.c | 12 +- net/ipv4/cipso_ipv4.c | 4 +- net/netfilter/x_tables.c | 9 +- net/netfilter/xt_AUDIT.c | 8 +- net/netlabel/netlabel_domainhash.c | 4 +- net/netlabel/netlabel_unlabeled.c | 8 +- net/netlabel/netlabel_user.c | 8 +- net/netlink/af_netlink.c | 26 ++- net/netlink/af_netlink.h | 1 + net/xfrm/xfrm_policy.c | 4 +- net/xfrm/xfrm_state.c | 14 +- security/apparmor/lib.c | 2 +- security/integrity/ima/ima_api.c | 5 +- security/integrity/ima/ima_audit.c | 11 +- security/integrity/ima/ima_policy.c | 5 +- security/lsm_audit.c | 8 +- security/selinux/avc.c | 3 +- security/selinux/hooks.c | 17 +- security/selinux/selinuxfs.c | 9 +- security/selinux/ss/services.c | 30 ++- security/smack/smack_lsm.c | 3 +- 34 files changed, 630 insertions(+), 390 deletions(-) -- 1.8.1.4

11 years, 6 months

4
11
0 / 0

Re: [Pam-developers] [PATCH] pam_tty_audit: add an option to control logging of passwords: log_passwd

by Richard Guy Briggs

On Mon, Jun 10, 2013 at 04:59:37PM -0400, Richard Guy Briggs wrote: > On Wed, Jun 05, 2013 at 02:54:09AM +0400, Dmitry V. Levin wrote: > > On Thu, May 23, 2013 at 10:29:59AM -0400, Richard Guy Briggs wrote: > > > Most commands are entered one line at a time and processed as complete lines > > > in non-canonical mode. Commands that interactively require a password, enter > > > canonical mode with echo set to off to do this. This feature (icanon and > > > !echo) can be used to avoid logging passwords by audit while still logging the > > > rest of the command. > > > > > > Adding a member to the struct audit_tty_status passed in by pam_tty_audit > > > allows control of logging passwords per task. > > > > Sorry for the long delay with review. Please see my comments below. > > Ditto... Please find a new patch at the end... > > > --- a/configure.in > > > +++ b/configure.in > > > @@ -386,6 +386,19 @@ if test x"$WITH_LIBAUDIT" != xno ; then > > > fi > > > if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then > > > AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.]) > > > + > > > + AC_CHECK_MEMBER( > > > + [struct audit_tty_status.log_passwd], > > > + [ > > > + HAVE_AUDIT_TTY_STATUS_LOG_PASSWD=yes > > > + AC_DEFINE([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD], 1, [Define to 1 if struct audit_tty_status.log_passwd exists.]) > > > + ], > > > + [ > > > + HAVE_AUDIT_TTY_STATUS_LOG_PASSWD="" > > > + AC_MSG_WARN([The struct audit_tty_status.log_passwd member is needed for the log_passwd option. The log_passwd option is disabled.]) > > > + ], > > > + [[#include <libaudit.h>]] > > > + ) > > > fi > > > else > > > LIBAUDIT="" > > > @@ -393,6 +406,8 @@ fi > > > AC_SUBST(LIBAUDIT) > > > AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS], > > > [test "x$HAVE_AUDIT_TTY_STATUS" = xyes]) > > > +AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD], > > > + [test "x$HAVE_AUDIT_TTY_STATUS_LOG_PASSWD" = xyes]) > > > > There is a shorter way to express this idea: > > > > AC_CHECK_MEMBER([struct audit_tty_status.log_passwd], [], > > AC_MSG_WARN([audit_tty_status.log_passwd is not available, log_passwd option disabled.], > > [[#include <libaudit.h>]]) > > ... > > AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD], > > [test "x$ac_cv_member_audit_tty_status_log_passwd" = xyes]) > > Ok, so $ac_cv_member_audit_tty_status_log_passwd is set by > AC_CHECK_MEMBER()? Ok, I've used your suggestion, but switching to AC_CHECK_MEMBERS() (and balancing the AC_MSG_WARN() parens). > > > --- a/modules/pam_tty_audit/Makefile.am > > > +++ b/modules/pam_tty_audit/Makefile.am > > > @@ -16,6 +16,9 @@ XMLS = README.xml pam_tty_audit.8.xml > > > securelibdir = $(SECUREDIR) > > > > > > AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include > > > +if HAVE_AUDIT_TTY_STATUS_LOG_PASSWD > > > + AM_CFLAGS += -DHAVE_AUDIT_TTY_STATUS_LOG_PASSWD > > > +endif > > > > This shouldn't be needed because of the side effect of AC_CHECK_MEMBER. > > I don't follow. I found I needed this latter one because > HAVE_AUDIT_TTY_STATUS_LOG_PASSWD wasn't being propagated to gcc when > compiling the C module. Removed due to feature/side effect of AC_CHECK_MEMBERS(). > > > + else if (strcmp (argv[i], "log_passwd") == 0) > > > +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD > > > + log_passwd = 1; > > > +#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ > > > + pam_syslog (pamh, LOG_WARNING, > > > + "pam_tty_audit: The log_passwd option was not available at compile time."); > > > > No need to prefix syslog messages with the module name, > > you can rely on pam_syslog. > > Thanks. Removed. > > > +#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your kernel." > > > > I'm not sure the wording is correct: it's headers not the kernel > > that is subject of the configure check. > > I pondered this wording. I originally used the header wording, but > thought it better to refer to the kernel, presuming the header would be > upgraded with a capable kernel. I've changed the wording to "Please upgrade your headers/kernel." Thanks for your feedback Dmitry. > > -- > > ldv From: Richard Guy Briggs <rgb(a)redhat.com> Date: Thu, 21 Mar 2013 00:56:51 -0400 Subject: [PATCH] pam_tty_audit: add an option to control logging of passwords: log_passwd Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. This can be used with older kernels since it checks for the needed structure members at compile time. Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- configure.in | 6 ++++++ modules/pam_tty_audit/pam_tty_audit.8.xml | 15 +++++++++++++++ modules/pam_tty_audit/pam_tty_audit.c | 23 ++++++++++++++++++++++- 3 files changed, 43 insertions(+), 1 deletions(-) diff --git a/configure.in b/configure.in index 515b301..b92d9ac 100644 --- a/configure.in +++ b/configure.in @@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then fi if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.]) + + AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [], + AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]), + [[#include <libaudit.h>]]) fi else LIBAUDIT="" @@ -393,6 +397,8 @@ fi AC_SUBST(LIBAUDIT) AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS], [test "x$HAVE_AUDIT_TTY_STATUS" = xyes]) +AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD], + [test "x$ac_cv_member_audit_tty_status_log_passwd" = xyes]) AC_CHECK_HEADERS(xcrypt.h crypt.h) AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"], diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml index 447b845..552353c 100644 --- a/modules/pam_tty_audit/pam_tty_audit.8.xml +++ b/modules/pam_tty_audit/pam_tty_audit.8.xml @@ -77,6 +77,19 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>log_passwd</option> + </term> + <listitem> + <para> + Log keystrokes when ECHO mode is off but ICANON mode is active. + This is the mode in which the tty is placed during password entry. + By default, passwords are not logged. This option may not be + available on older kernels (3.9?). + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> @@ -161,6 +174,8 @@ session required pam_tty_audit.so disable=* enable=root <para> pam_tty_audit was written by Miloslav Trma&ccaron; <mitr(a)redhat.com>. + The log_passwd option was added by Richard Guy Briggs + <rgb(a)redhat.com>. </para> </refsect1> diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c index 080f495..a3b590d 100644 --- a/modules/pam_tty_audit/pam_tty_audit.c +++ b/modules/pam_tty_audit/pam_tty_audit.c @@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) struct audit_tty_status *old_status, new_status; const char *user; int i, fd, open_only; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + int log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ (void)flags; @@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) command = CMD_NONE; open_only = 0; +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 0; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ for (i = 0; i < argc; i++) { if (strncmp (argv[i], "enable=", 7) == 0 @@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } else if (strcmp (argv[i], "open_only") == 0) open_only = 1; + else if (strcmp (argv[i], "log_passwd") == 0) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + log_passwd = 1; +#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + pam_syslog (pamh, LOG_WARNING, + "The log_passwd option was not available at compile time."); +#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ else { pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); @@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) } new_status.enabled = (command == CMD_ENABLE ? 1 : 0); - if (old_status->enabled == new_status.enabled) +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + if (old_status->enabled == new_status.enabled +#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD + && old_status->log_passwd == new_status.log_passwd +#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */ + ) { open_only = 1; /* to clean up old_status */ goto ok_fd; -- 1.7.1 > - RGB - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com> Senior Software Engineer Kernel Security AMER ENG Base Operating Systems Remote, Ottawa, Canada Voice: 1.647.777.2635 Internal: (81) 32635

11 years, 6 months

1
0
0 / 0

pam_tty_audit bi-directional logging

by Tracy Reed

Is there any way to make pam_tty_audit log not only what the user types but also what the server sends back? Due to regulatory requirements We are currently having to use proprietary, kludgy, unreliable bastion host "solutions" to get full session logging. It seems like pam_tty_audit, being in the tty layer, would have access to everything going through the tty both send and receive but it looks like only commands typed are logged. Am I missing something? Thanks! -- Tracy Reed

11 years, 6 months

3
4
0 / 0

Re: [PATCH] audit: fix size of netlink messages

by Nicolas Dichtel

Le 09/06/2013 15:29, Thomas Graf a écrit : > On 06/07/13 at 06:24pm, Nicolas Dichtel wrote: >> Put Thomas in CC. >> >> Le 07/06/2013 17:43, Eric Paris a écrit : >>> On Fri, 2013-06-07 at 17:25 +0200, Nicolas Dichtel wrote: >>> >>> NAK. >>> >>> I tried this once before and as I recal userspace actually expected the >>> stoopidity of being unaligned and broke :-( >> On which userspace tools do you think? >> >> For example, in the libnl, the function which tries to get the next >> netlink message expects this alignment: > > You should only align the end of the Netlink message if you > append another Netlink message after it. There is no point > in aligning it if no message follows in the same buffer. > > A receiver should never enforce alignment for the last message. > Some do and this is causing a lot of pain. An example is the > Open vSwitch implementation which stricly enforces alignment of > nlmsg_len which makes attempts to implement zerocopy for the > upcall more difficult than it should be. > Ok, thank you for the clarification.

11 years, 6 months

1
0
0 / 0

[PATCH] audit: fix size of netlink messages

by Nicolas Dichtel

Netlink messages must be aligned on NLMSG_ALIGNTO (4 bytes), thus we need to update the skb length before sending it to userspace. This patch adds the needed padding to be compliant with this requirement. Signed-off-by: Nicolas Dichtel <nicolas.dichtel(a)6wind.com> --- kernel/audit.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 21c7fa6..31d213a 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1669,6 +1669,17 @@ void audit_log_end(struct audit_buffer *ab) struct nlmsghdr *nlh = nlmsg_hdr(ab->skb); nlh->nlmsg_len = ab->skb->len - NLMSG_HDRLEN; + if (NLMSG_ALIGN(ab->skb->len) != ab->skb->len) { + unsigned int pad = NLMSG_ALIGN(ab->skb->len) - + ab->skb->len; + + if (skb_tailroom(ab->skb) >= pad) + skb_put(ab->skb, pad); + else if (pskb_expand_head(ab->skb, 0, pad, + GFP_KERNEL) < 0) + audit_log_lost("out of memory in audit_log_end"); + } + if (audit_pid) { skb_queue_tail(&audit_skb_queue, ab->skb); wake_up_interruptible(&kauditd_wait); -- 1.8.2.1

11 years, 6 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit June 2013