Bug 244352 - TTY input audit support
TTY input audit support
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On: 244135
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-15 04:34 EDT by Miloslav Trmač
Modified: 2009-01-20 17:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 17:04:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A preliminary patch (some FIXMEs left) (6.63 KB, patch)
2007-06-15 04:34 EDT, Miloslav Trmač
no flags Details | Diff
A comlete patch (17.67 KB, patch)
2007-11-28 10:24 EST, Miloslav Trmač
no flags Details | Diff
An incremental patch (7.82 KB, patch)
2008-01-08 06:26 EST, Miloslav Trmač
no flags Details | Diff
Resulting pam_tty_audit.c (8.23 KB, patch)
2008-01-08 06:28 EST, Miloslav Trmač
no flags Details | Diff

  None (edit)
Description Miloslav Trmač 2007-06-15 04:34:41 EDT
Attached is a new PAM module to enable or disable TTY input auditing in the
user's session.
Comment 1 Miloslav Trmač 2007-06-15 04:34:41 EDT
Created attachment 157074 [details]
A preliminary patch (some FIXMEs left)
Comment 2 Miloslav Trmač 2007-06-15 04:58:51 EDT
(TODO: submit to PAM upstream first)
Comment 3 Miloslav Trmač 2007-11-28 10:24:13 EST
Created attachment 271421 [details]
A comlete patch
Comment 4 RHEL Product and Program Management 2007-11-29 07:14:20 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Miloslav Trmač 2008-01-08 06:26:03 EST
Created attachment 291048 [details]
An incremental patch

To be applied after attachment 271421 [details]:
* Add support for wildcards in enable= and disable=
* Add "open_only" (for sudo)
* Fix uninitialized variable access if the flag does not need to be changed
* Fix example in man page
Comment 9 Miloslav Trmač 2008-01-08 06:28:43 EST
Created attachment 291049 [details]
Resulting pam_tty_audit.c

If you want to test TTY input auditing without patching PAM, compile this file
with

gcc -shared -fPIC -o pam_tty_audit.so pam_tty_audit.c -lpam

and install pam_tty_audit.so to /lib*/security/
Comment 10 Miloslav Trmač 2008-01-08 06:34:27 EST
Ondrej, to test:

- install a kernel patched for #244135, and boot it
- install the new PAM (or at least the module from attachment 291049 [details])
- optionally install a audit>=1.6 (to mark messages as TTY instead of
  UNKNOWN[1319])
- append to /etc/pam.d/system-auth:
        session required pam_tty_audit.so disable=* enable=root

from now on "TEST" == run (cat), type something and Ctrl+D; expected results:
  - as root => chars entered in audit.log
  - as non-root: no chars entered 
  Always try both cases.  No characters you didn't type (e.g. prompts printed
  by programs) should be logged.

- TEST logging in on console

- TEST logging in over ssh

- log in as root, verify (cat) input is logged,
  run (service sshd restart), reTEST logging in over ssh

- enable rlogind, comment-out pam_securetty from /etc/pam.d/rlogin
  TEST logging in using rlogin
  NOTE: rsh/rexec commands are not logged
  NOTE: If xinetd is restarted from an audited root's session,
  username/password are logged if the rlogind's password authentication fails
  for the first time, and /bin/login is asking for password/username

- enable telnet server, comment-out pam_security from /etc/pam.d/remote
  TEST logging in over telnet
  NOTE: If xinetd is restarted from an audited root's session,
  username/password are always logged

- TEST su and (su -) from an unprivileged account
  TEST su and (su -) from a privileged account
  NOTE: an admin can (su unprivileged) and evade logging this way; this can
    be handled by adding "session required pam_tty_audit.so enable=root" to
    /etc/pam.d/su and /etc/pam.d/su-l, and either:
    - not using system-auth in /etc/pam.d/su*, or
    - using pam_tty_audit in each individual PAM config file except for su{,-l}
      instead of using it in system-auth

- append to /etc/pam.d/sudo and /etc/pam.d/sudo-i:
        session required pam_tty_audit.so open_only enable=root
  (NOTE: disable=* would disable logging sudo from root to unprivileged users)
  NOTE: when testing sudo from a privileged account to an unprivileged account,
  the input is still logged because disable=* is not present

  visudo, add "your_unprivileged_user ALL=(ALL) ALL" to the last section
  TEST sudo  (using sudo -u destination_user cat)
  TEST sudo -i

- TEST logging in over gdm (perhaps to the rescue session, if not all of GNOME)
Comment 11 RHEL Product and Program Management 2008-06-02 16:36:20 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 errata-xmlrpc 2009-01-20 17:04:24 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0222.html

Note You need to log in before you can comment on or make changes to this bug.