Re: pam_tty_audit icanon log switch
On Fri, 2013-03-22 at 01:46 -0400, Richard Guy Briggs wrote:
Hi folks,
There's been a couple of requests to add a switch to pam_tty_audit to
*not* log passwords when logging user commands.
Most commands are entered one line at a time and processed as complete
lines in non-canonical mode. Commands that interactively require a
password, enter canonical mode to do this. This feature (icanon) can be
used to avoid logging passwords by audit while still logging the rest of
the command.
Adding a member to the struct audit_tty_status passed in by
pam_tty_audit allows control of canonical mode per task.
For the upstream inclusion of the pam_tty_audit patch you will need to
add a detection of the new member of the struct audit_tty_status in the
configure.in and #ifdef the code properly. The new option can be kept
even in the case the new member is not available, but it should log a
warning into the syslog with pam_syslog() when used. The documentation
should reflect the fact that the option might not be available on old
kernels as well.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb