• Miloslav Trmac's avatar
    Audit: add TTY input auditing · 522ed776
    Miloslav Trmac authored
    Add TTY input auditing, used to audit system administrator's actions.  This is
    required by various security standards such as DCID 6/3 and PCI to provide
    non-repudiation of administrator's actions and to allow a review of past
    actions if the administrator seems to overstep their duties or if the system
    becomes misconfigured for unknown reasons.  These requirements do not make it
    necessary to audit TTY output as well.
    
    Compared to an user-space keylogger, this approach records TTY input using the
    audit subsystem, correlated with other audit events, and it is completely
    transparent to the user-space application (e.g.  the console ioctls still
    work).
    
    TTY input auditing works on a higher level than auditing all system calls
    within the session, which would produce an overwhelming amount of mostly
    useless audit events.
    
    Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
    by process with the attribute is sent to the audit subsystem by the kernel.
    The audit netlink interface is extended to allow modifying the audit_tty
    attribute, and to allow sending explanatory audit events from user-space (for
    example, a shell might send an event containing the final command, after the
    interactive command-line editing and history expansion is performed, which
    might be difficult to decipher from the TTY input alone).
    
    Because the "audit_tty" attribute is inherited across fork (), it would be set
    e.g.  for sshd restarted within an audited session.  To prevent this, the
    audit_tty attribute is cleared when a process with no open TTY file
    descriptors (e.g.  after daemon startup) opens a TTY.
    
    See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
    more detailed rationale document for an older version of this patch.
    
    [akpm@linux-foundation.org: build fix]
    Signed-off-by: default avatarMiloslav Trmac <mitr@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Cc: Paul Fulghum <paulkf@microgate.com>
    Cc: Casey Schaufler <casey@schaufler-ca.com>
    Cc: Steve Grubb <sgrubb@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    522ed776
audit.c 36.1 KB