Re: pam_tty_audit icanon log switch

On Fri, Mar 22, 2013 at 08:19:31AM +0100, Tomas Mraz wrote: > On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote: > > Hi folks, > > > > There's been a couple of requests to add a switch to pam_tty_audit to > > *not* log passwords when logging user commands. > > > > Most commands are entered one line at a time and processed as complete > > lines in non-canonical mode. Commands that interactively require a > > password, enter canonical mode to do this. This feature (icanon) can be > > used to avoid logging passwords by audit while still logging the rest of > > the command. > > > > Adding a member to the struct audit_tty_status passed in by > > pam_tty_audit allows control of canonical mode per task. > > > > For the upstream inclusion of the pam_tty_audit patch you will need to > add a detection of the new member of the struct audit_tty_status in the > configure.in and #ifdef the code properly. The new option can be kept > even in the case the new member is not available, but it should log a > warning into the syslog with pam_syslog() when used. The documentation > should reflect the fact that the option might not be available on old > kernels as well. Tomas, Please have a look at this patch and see if this addresses the issues you raised: