Bug 244135 - audit tty input
audit tty input
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miloslav Trmač
Martin Jenner
: Reopened
Depends On:
Blocks: 235021 244349 244350 244352 425461 KernelPrio5.3 RHEL5u3_relnotes
  Show dependency treegraph
 
Reported: 2007-06-13 22:25 EDT by Linda Wang
Modified: 2009-01-20 15:16 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type TTY. You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 15:16:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 2 RHEL Product and Program Management 2007-06-14 00:01:56 EDT
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.
Comment 4 RHEL Product and Program Management 2007-11-01 19:55:29 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Eric Paris 2007-12-14 17:03:21 EST
Today I tested

2.6.24-rc5 kernel
F8 ssh
F8 su
rawhide pam

First think I found was that sshd_t needed permissions to send the message to
the audit system indicating it wanted to audit the tty.  I fixed that in my
policy but that would needed to get corrected in the main policy.

Second thing I found was that auditing for ssh didn't work at all.  I never got
a single TTY record.

If, from my ssh session, i su - then I got TTY records from the new su session.

Until ssh works I'd say this concept isn't ready to go...

What else needs to be checked?  Local vty?  telnet?  rsh?  do
xterms/gnome-terminals work?
Comment 7 Linda Wang 2008-01-07 13:44:21 EST
also noted by kernel maintainer on 12/18/07:
This patch also seems to break every symbol on the kabi list too despite
its best intentions not too. So another NAK from me.

Therefore, move this bug to ASSIGN state to get more development time on it.
Comment 12 Miloslav Trmač 2008-09-12 16:39:03 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
(Note: this relnote assumes this patch will be applied.)

TTY input auditing is now supported.  If a process is marked for TTY input auditing, the data it reads from TTYs is audited in audit records with type "TTY".

You can use the pam_tty_audit module to mark a process (and its child processe) for TTY input auditing.  An example configuration for auditing all commands performed as the root user is:

- append to /etc/pam.d/system-auth:
        session required pam_tty_audit.so disable=* enable=root
- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
        session required pam_tty_audit.so open_only enable=root

See pam_tty_audit(8) for more information.

The "TTY" audit records contain the exact keystrokes read by the audited process.  To make decoding of the data easier, bash audits the exact command line using the "USER_TTY" record type.  This information is only advisory.

The "TTY" audit records contain all data read by audited processes from the TTY.  This includes data that was inserted into the input stream using the TIOCSTI ioctl.
Comment 13 Don Zickus 2008-09-15 10:16:10 EDT
in kernel-2.6.18-115.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 15 Don Domingo 2008-11-09 23:23:01 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,16 +1,7 @@
-(Note: this relnote assumes this patch will be applied.)
+TTY input auditing is now supported.  If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type "TTY".
 
-TTY input auditing is now supported.  If a process is marked for TTY input auditing, the data it reads from TTYs is audited in audit records with type "TTY".
+You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
 
-You can use the pam_tty_audit module to mark a process (and its child processe) for TTY input auditing.  An example configuration for auditing all commands performed as the root user is:
+The "TTY" audit records contain the exact keystrokes read by the audited process.  To make data decoding easier, bash audits the exact command line using the record type "USER_TTY".
 
-- append to /etc/pam.d/system-auth:
+The "TTY" audit records contain all data read by audited processes from the TTY.  This includes data inserted into the input stream by the TIOCSTI ioctl system call.-        session required pam_tty_audit.so disable=* enable=root
-- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
-        session required pam_tty_audit.so open_only enable=root
-
-See pam_tty_audit(8) for more information.
-
-The "TTY" audit records contain the exact keystrokes read by the audited process.  To make decoding of the data easier, bash audits the exact command line using the "USER_TTY" record type.  This information is only advisory.
-
-The "TTY" audit records contain all data read by audited processes from the TTY.  This includes data that was inserted into the input stream using the TIOCSTI ioctl.
Comment 16 Miloslav Trmač 2008-11-10 04:26:10 EST
Release note edited:
- restored the "example configuration": the sudo configuration is different and it's not quite clear from the man page this is necessary.
- restored the note that USER_TTY is "only advisory". (This is probably not the best wording - the intent is to say that USER_TTY records are not created by the kernel and users can spoof the messages easier than TTY records - although the attempts to spoof the records should have been recorded correctly.)
Comment 17 Miloslav Trmač 2008-11-10 04:26:10 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -2,6 +2,14 @@
 
 You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
 
-The "TTY" audit records contain the exact keystrokes read by the audited process.  To make data decoding easier, bash audits the exact command line using the record type "USER_TTY".
+The following steps will set up auditing all commands performed as the root user:
+- append to /etc/pam.d/system-auth:
+        session required pam_tty_audit.so disable=* enable=root
+- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
+        session required pam_tty_audit.so open_only enable=root
+
+
+
+The "TTY" audit records contain the exact keystrokes read by the audited process.  To make data decoding easier, bash audits the exact command line using the record type "USER_TTY".  This information is only advisory.
 
 The "TTY" audit records contain all data read by audited processes from the TTY.  This includes data inserted into the input stream by the TIOCSTI ioctl system call.
Comment 19 Ryan Lerch 2008-11-16 18:35:37 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,15 +1,13 @@
-TTY input auditing is now supported.  If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type "TTY".
+Support for TTY input auditing is now available in Red Hat Enterprise Linux 5.3. If a process is marked for TTY input auditing, the data it reads from TTYs is audited, marked on audit records with type TTY.
 
 You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
 
-The following steps will set up auditing all commands performed as the root user:
-- append to /etc/pam.d/system-auth:
-        session required pam_tty_audit.so disable=* enable=root
-- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
-        session required pam_tty_audit.so open_only enable=root
+To configure auditing, append the following to /etc/pam.d/system-auth:
 
+session required pam_tty_audit.so disable=* enable=root
 
+Also, append the following to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
 
-The "TTY" audit records contain the exact keystrokes read by the audited process.  To make data decoding easier, bash audits the exact command line using the record type "USER_TTY".  This information is only advisory.
+session required pam_tty_audit.so open_only enable=root
 
-The "TTY" audit records contain all data read by audited processes from the TTY.  This includes data inserted into the input stream by the TIOCSTI ioctl system call.+The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. The TTY audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.
Comment 20 Miloslav Trmač 2008-11-17 12:44:09 EST
Release note edited again: clarified that the example is an example, not the only correct way to use the subsystem.
Comment 21 Miloslav Trmač 2008-11-17 12:44:09 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -2,7 +2,7 @@
 
 You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
 
-To configure auditing, append the following to /etc/pam.d/system-auth:
+For example, to configure auditing of commands executed as the root user, append the following to /etc/pam.d/system-auth:
 
 session required pam_tty_audit.so disable=* enable=root
Comment 22 Don Domingo 2008-11-18 17:17:14 EST
Hi Miloslav, 
i'm removing the example altogether. this is because i assume that man pam_tty_audit(8) should provide the user with enough information on how to set up TTY auditing.
Comment 23 Don Domingo 2008-11-18 17:17:14 EST
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,13 +1,7 @@
-Support for TTY input auditing is now available in Red Hat Enterprise Linux 5.3. If a process is marked for TTY input auditing, the data it reads from TTYs is audited, marked on audit records with type TTY.
+TTY input auditing is now supported. If a process is marked for TTY input auditing, the data it reads from TTYs is audited; this will show up on audit records with type TTY. 
 
-You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8).
+ You can use the pam_tty_audit module to mark a process (and its child processes) for TTY input auditing. For instructions on how to do this, refer to man pam_tty_audit(8). 
 
-For example, to configure auditing of commands executed as the root user, append the following to /etc/pam.d/system-auth:
+ The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. 
 
-session required pam_tty_audit.so disable=* enable=root
+ The "TTY" audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.-
-Also, append the following to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
-
-session required pam_tty_audit.so open_only enable=root
-
-The TTY audit records contain the exact keystrokes read by the audited process. To make data decoding easier, bash audits the exact command line using the record type USER_TTY. The TTY audit records contain all data read by audited processes from the TTY. This includes data inserted into the input stream by the TIOCSTI ioctl system call.
Comment 26 errata-xmlrpc 2009-01-20 15:16:43 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html

Note You need to log in before you can comment on or make changes to this bug.