lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4668D9BB.3010600@redhat.com>
Date:	Fri, 08 Jun 2007 06:23:23 +0200
From:	Miloslav Trmac <mitr@...hat.com>
To:	Andrew Morton <akpm@...ux-foundation.org>, dwmw2@...radead.org
CC:	linux-kernel@...r.kernel.org, Alan Cox <alan@...hat.com>,
	Steve Grubb <sgrubb@...hat.com>,
	Alexander Viro <aviro@...hat.com>
Subject: [PATCH, v2] Audit: Add TTY input auditing

From: Miloslav Trmac <mitr@...hat.com>

Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless audit events.

Add an "audit_tty" attribute, inherited across fork ().  Data read from
TTYs by process with the attribute is sent to the audit subsystem by the
kernel.  The audit netlink interface is extended to allow modifying the
audit_tty attribute, and to allow sending explanatory audit events from
user-space (for example, a shell might send an event containing the
final command, after the interactive command-line editing and history
expansion is performed, which might be difficult to decipher from the
TTY input alone).

Because the "audit_tty" attribute is inherited across fork (), it would
be set e.g. for sshd restarted within an audited session.  To prevent
this, the audit_tty attribute is cleared when a process with no open TTY
file descriptors (e.g. after daemon startup) opens a TTY.

See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
for a more detailed rationale document for an older version of this patch.

---
Changes since the previous patch:
* use spin_lock_irq() for siglock
* add an is_tty() function instead of checking f_op->read from n_tty.c;
  handle hung TTYs
* replace the audit_tty bit field by a whole word to avoid the risk of
  incorrect locking
* move most new code from n_tty.c to a separate file
* fix coding style violations
* fix compilation with !CONFIG_AUDIT


View attachment "linux.patch" of type "text/x-patch" (25617 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ