Bug 244135
| Summary: | audit tty input | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Linda Wang <lwang> |
| Component: | kernel | Assignee: | Miloslav Trmač <mitr> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | akarlsso, arozansk, ddomingo, dzickus, eparis, mchehab, rlerch, sgrubb |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type TTY.
You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY.
The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-20 20:16:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 235021, 244349, 244350, 244352, 425461, 448732, 454962 | ||
|
Comment 2
RHEL Program Management
2007-06-14 04:01:56 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Today I tested 2.6.24-rc5 kernel F8 ssh F8 su rawhide pam First think I found was that sshd_t needed permissions to send the message to the audit system indicating it wanted to audit the tty. I fixed that in my policy but that would needed to get corrected in the main policy. Second thing I found was that auditing for ssh didn't work at all. I never got a single TTY record. If, from my ssh session, i su - then I got TTY records from the new su session. Until ssh works I'd say this concept isn't ready to go... What else needs to be checked? Local vty? telnet? rsh? do xterms/gnome-terminals work? also noted by kernel maintainer on 12/18/07: This patch also seems to break every symbol on the kabi list too despite its best intentions not too. So another NAK from me. Therefore, move this bug to ASSIGN state to get more development time on it.
Release note added. If any revisions are required, please set the
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.
New Contents:
(Note: this relnote assumes this patch will be applied.)
TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited in audit records with type "TTY".
You can use the pam_tty_audit module to mark a process (and its child processe) for TTY input auditing. An example configuration for auditing all commands performed as the root user is:
- append to /etc/pam.d/system-auth:
session required pam_tty_audit.so disable=* enable=root
- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
session required pam_tty_audit.so open_only enable=root
See pam_tty_audit(8) for more information.
The "TTY" audit records contain the exact keystrokes read by the audited process. To make decoding of the data easier, bash audits the exact command line using the "USER_TTY" record type. This information is only advisory.
The "TTY" audit records contain all data read by audited processes from the TTY. This includes data that was inserted into the input stream using the TIOCSTI ioctl.
in kernel-2.6.18-115.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,16 +1,7 @@ -(Note: this relnote assumes this patch will be applied.) +TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type "TTY". -TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited in audit records with type "TTY". +You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). -You can use the pam_tty_audit module to mark a process (and its child processe) for TTY input auditing. An example configuration for auditing all commands performed as the root user is: +The "TTY" audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type "USER_TTY". -- append to /etc/pam.d/system-auth: +The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.- session required pam_tty_audit.so disable=* enable=root -- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i: - session required pam_tty_audit.so open_only enable=root - -See pam_tty_audit(8) for more information. - -The "TTY" audit records contain the exact keystrokes read by the audited process. To make decoding of the data easier, bash audits the exact command line using the "USER_TTY" record type. This information is only advisory. - -The "TTY" audit records contain all data read by audited processes from the TTY. This includes data that was inserted into the input stream using the TIOCSTI ioctl. Release note edited: - restored the "example configuration": the sudo configuration is different and it's not quite clear from the man page this is necessary. - restored the note that USER_TTY is "only advisory". (This is probably not the best wording - the intent is to say that USER_TTY records are not created by the kernel and users can spoof the messages easier than TTY records - although the attempts to spoof the records should have been recorded correctly.) Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -2,6 +2,14 @@ You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). -The "TTY" audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type "USER_TTY". +The following steps will set up auditing all commands performed as the root user: +- append to /etc/pam.d/system-auth: + session required pam_tty_audit.so disable=* enable=root +- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i: + session required pam_tty_audit.so open_only enable=root + + + +The "TTY" audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type "USER_TTY". This information is only advisory. The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call. Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,15 +1,13 @@ -TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type "TTY". +Support for TTY input auditing is now available in Red Hat Enterprise Linux 5.3. If a process is marked for TTY input auditing, the data it reads from TTYs is audited, marked on audit records with type TTY. You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). -The following steps will set up auditing all commands performed as the root user: -- append to /etc/pam.d/system-auth: - session required pam_tty_audit.so disable=* enable=root -- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i: - session required pam_tty_audit.so open_only enable=root +To configure auditing, append the following to /etc/pam.d/system-auth: +session required pam_tty_audit.so disable=* enable=root +Also, append the following to /etc/pam.d/sudo and /etc/pam.d/sudo-i: -The "TTY" audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type "USER_TTY". This information is only advisory. +session required pam_tty_audit.so open_only enable=root -The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.+The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. The TTY audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call. Release note edited again: clarified that the example is an example, not the only correct way to use the subsystem. Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -2,7 +2,7 @@ You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). -To configure auditing, append the following to /etc/pam.d/system-auth: +For example, to configure auditing of commands executed as the root user, append the following to /etc/pam.d/system-auth: session required pam_tty_audit.so disable=* enable=root Hi Miloslav, i'm removing the example altogether. this is because i assume that man pam_tty_audit(8) should provide the user with enough information on how to set up TTY auditing. Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,13 +1,7 @@ -Support for TTY input auditing is now available in Red Hat Enterprise Linux 5.3. If a process is marked for TTY input auditing, the data it reads from TTYs is audited, marked on audit records with type TTY. +TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type TTY. -You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). + You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). -For example, to configure auditing of commands executed as the root user, append the following to /etc/pam.d/system-auth: + The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. -session required pam_tty_audit.so disable=* enable=root + The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.- -Also, append the following to /etc/pam.d/sudo and /etc/pam.d/sudo-i: - -session required pam_tty_audit.so open_only enable=root - -The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. The TTY audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html |