[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4668D9BB.3010600@redhat.com>
Date: Fri, 08 Jun 2007 06:23:23 +0200
From: Miloslav Trmac <mitr@...hat.com>
To: Andrew Morton <akpm@...ux-foundation.org>, dwmw2@...radead.org
CC: linux-kernel@...r.kernel.org, Alan Cox <alan@...hat.com>,
Steve Grubb <sgrubb@...hat.com>,
Alexander Viro <aviro@...hat.com>
Subject: [PATCH, v2] Audit: Add TTY input auditing
From: Miloslav Trmac <mitr@...hat.com>
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless audit events.
Add an "audit_tty" attribute, inherited across fork (). Data read from
TTYs by process with the attribute is sent to the audit subsystem by the
kernel. The audit netlink interface is extended to allow modifying the
audit_tty attribute, and to allow sending explanatory audit events from
user-space (for example, a shell might send an event containing the
final command, after the interactive command-line editing and history
expansion is performed, which might be difficult to decipher from the
TTY input alone).
Because the "audit_tty" attribute is inherited across fork (), it would
be set e.g. for sshd restarted within an audited session. To prevent
this, the audit_tty attribute is cleared when a process with no open TTY
file descriptors (e.g. after daemon startup) opens a TTY.
See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
for a more detailed rationale document for an older version of this patch.
---
Changes since the previous patch:
* use spin_lock_irq() for siglock
* add an is_tty() function instead of checking f_op->read from n_tty.c;
handle hung TTYs
* replace the audit_tty bit field by a whole word to avoid the risk of
incorrect locking
* move most new code from n_tty.c to a separate file
* fix coding style violations
* fix compilation with !CONFIG_AUDIT
View attachment "linux.patch" of type "text/x-patch" (25617 bytes)
Powered by blists - more mailing lists