Attached is a new PAM module to enable or disable TTY input auditing in the user's session.
Created attachment 157074 [details] A preliminary patch (some FIXMEs left)
(TODO: submit to PAM upstream first)
Created attachment 271421 [details] A comlete patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Created attachment 291048 [details] An incremental patch To be applied after attachment 271421 [details]: * Add support for wildcards in enable= and disable= * Add "open_only" (for sudo) * Fix uninitialized variable access if the flag does not need to be changed * Fix example in man page
Created attachment 291049 [details] Resulting pam_tty_audit.c If you want to test TTY input auditing without patching PAM, compile this file with gcc -shared -fPIC -o pam_tty_audit.so pam_tty_audit.c -lpam and install pam_tty_audit.so to /lib*/security/
Ondrej, to test: - install a kernel patched for #244135, and boot it - install the new PAM (or at least the module from attachment 291049 [details]) - optionally install a audit>=1.6 (to mark messages as TTY instead of UNKNOWN[1319]) - append to /etc/pam.d/system-auth: session required pam_tty_audit.so disable=* enable=root from now on "TEST" == run (cat), type something and Ctrl+D; expected results: - as root => chars entered in audit.log - as non-root: no chars entered Always try both cases. No characters you didn't type (e.g. prompts printed by programs) should be logged. - TEST logging in on console - TEST logging in over ssh - log in as root, verify (cat) input is logged, run (service sshd restart), reTEST logging in over ssh - enable rlogind, comment-out pam_securetty from /etc/pam.d/rlogin TEST logging in using rlogin NOTE: rsh/rexec commands are not logged NOTE: If xinetd is restarted from an audited root's session, username/password are logged if the rlogind's password authentication fails for the first time, and /bin/login is asking for password/username - enable telnet server, comment-out pam_security from /etc/pam.d/remote TEST logging in over telnet NOTE: If xinetd is restarted from an audited root's session, username/password are always logged - TEST su and (su -) from an unprivileged account TEST su and (su -) from a privileged account NOTE: an admin can (su unprivileged) and evade logging this way; this can be handled by adding "session required pam_tty_audit.so enable=root" to /etc/pam.d/su and /etc/pam.d/su-l, and either: - not using system-auth in /etc/pam.d/su*, or - using pam_tty_audit in each individual PAM config file except for su{,-l} instead of using it in system-auth - append to /etc/pam.d/sudo and /etc/pam.d/sudo-i: session required pam_tty_audit.so open_only enable=root (NOTE: disable=* would disable logging sudo from root to unprivileged users) NOTE: when testing sudo from a privileged account to an unprivileged account, the input is still logged because disable=* is not present visudo, add "your_unprivileged_user ALL=(ALL) ALL" to the last section TEST sudo (using sudo -u destination_user cat) TEST sudo -i - TEST logging in over gdm (perhaps to the rescue session, if not all of GNOME)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0222.html