aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorMiloslav Trmac <mitr@redhat.com>2007-07-16 02:40:56 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-16 12:05:47 -0400
commit522ed7767e800cff6c650ec64b0ee0677303119c (patch)
treef65ecb29f2cf885018d3557f840de3ef4be6ec64 /include/linux
parent4f27c00bf80f122513d3a5be16ed851573164534 (diff)
Audit: add TTY input auditing
Add TTY input auditing, used to audit system administrator's actions. This is required by various security standards such as DCID 6/3 and PCI to provide non-repudiation of administrator's actions and to allow a review of past actions if the administrator seems to overstep their duties or if the system becomes misconfigured for unknown reasons. These requirements do not make it necessary to audit TTY output as well. Compared to an user-space keylogger, this approach records TTY input using the audit subsystem, correlated with other audit events, and it is completely transparent to the user-space application (e.g. the console ioctls still work). TTY input auditing works on a higher level than auditing all system calls within the session, which would produce an overwhelming amount of mostly useless audit events. Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs by process with the attribute is sent to the audit subsystem by the kernel. The audit netlink interface is extended to allow modifying the audit_tty attribute, and to allow sending explanatory audit events from user-space (for example, a shell might send an event containing the final command, after the interactive command-line editing and history expansion is performed, which might be difficult to decipher from the TTY input alone). Because the "audit_tty" attribute is inherited across fork (), it would be set e.g. for sshd restarted within an audited session. To prevent this, the audit_tty attribute is cleared when a process with no open TTY file descriptors (e.g. after daemon startup) opens a TTY. See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a more detailed rationale document for an older version of this patch. [akpm@linux-foundation.org: build fix] Signed-off-by: Miloslav Trmac <mitr@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/audit.h11
-rw-r--r--include/linux/sched.h4
-rw-r--r--include/linux/tty.h33
3 files changed, 48 insertions, 0 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index fccc6e50298a..8ca7ca0b47f0 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -63,9 +63,12 @@
63#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */ 63#define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */
64#define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */ 64#define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */
65#define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */ 65#define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */
66#define AUDIT_TTY_GET 1014 /* Get TTY auditing status */
67#define AUDIT_TTY_SET 1015 /* Set TTY auditing status */
66 68
67#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ 69#define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */
68#define AUDIT_USER_AVC 1107 /* We filter this differently */ 70#define AUDIT_USER_AVC 1107 /* We filter this differently */
71#define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */
69#define AUDIT_LAST_USER_MSG 1199 72#define AUDIT_LAST_USER_MSG 1199
70#define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */ 73#define AUDIT_FIRST_USER_MSG2 2100 /* More user space messages */
71#define AUDIT_LAST_USER_MSG2 2999 74#define AUDIT_LAST_USER_MSG2 2999
@@ -92,6 +95,7 @@
92#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */ 95#define AUDIT_KERNEL_OTHER 1316 /* For use by 3rd party modules */
93#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */ 96#define AUDIT_FD_PAIR 1317 /* audit record for pipe/socketpair */
94#define AUDIT_OBJ_PID 1318 /* ptrace target */ 97#define AUDIT_OBJ_PID 1318 /* ptrace target */
98#define AUDIT_TTY 1319 /* Input on an administrative TTY */
95 99
96#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 100#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
97#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 101#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -289,6 +293,10 @@ struct audit_status {
289 __u32 backlog; /* messages waiting in queue */ 293 __u32 backlog; /* messages waiting in queue */
290}; 294};
291 295
296struct audit_tty_status {
297 __u32 enabled; /* 1 = enabled, 0 = disabled */
298};
299
292/* audit_rule_data supports filter rules with both integer and string 300/* audit_rule_data supports filter rules with both integer and string
293 * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and 301 * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
294 * AUDIT_LIST_RULES requests. 302 * AUDIT_LIST_RULES requests.
@@ -515,11 +523,13 @@ extern void audit_log_d_path(struct audit_buffer *ab,
515 const char *prefix, 523 const char *prefix,
516 struct dentry *dentry, 524 struct dentry *dentry,
517 struct vfsmount *vfsmnt); 525 struct vfsmount *vfsmnt);
526extern void audit_log_lost(const char *message);
518 /* Private API (for audit.c only) */ 527 /* Private API (for audit.c only) */
519extern int audit_filter_user(struct netlink_skb_parms *cb, int type); 528extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
520extern int audit_filter_type(int type); 529extern int audit_filter_type(int type);
521extern int audit_receive_filter(int type, int pid, int uid, int seq, 530extern int audit_receive_filter(int type, int pid, int uid, int seq,
522 void *data, size_t datasz, uid_t loginuid, u32 sid); 531 void *data, size_t datasz, uid_t loginuid, u32 sid);
532extern int audit_enabled;
523#else 533#else
524#define audit_log(c,g,t,f,...) do { ; } while (0) 534#define audit_log(c,g,t,f,...) do { ; } while (0)
525#define audit_log_start(c,g,t) ({ NULL; }) 535#define audit_log_start(c,g,t) ({ NULL; })
@@ -530,6 +540,7 @@ extern int audit_receive_filter(int type, int pid, int uid, int seq,
530#define audit_log_untrustedstring(a,s) do { ; } while (0) 540#define audit_log_untrustedstring(a,s) do { ; } while (0)
531#define audit_log_n_untrustedstring(a,n,s) do { ; } while (0) 541#define audit_log_n_untrustedstring(a,n,s) do { ; } while (0)
532#define audit_log_d_path(b,p,d,v) do { ; } while (0) 542#define audit_log_d_path(b,p,d,v) do { ; } while (0)
543#define audit_enabled 0
533#endif 544#endif
534#endif 545#endif
535#endif 546#endif
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 3cffc1204663..b579624477f4 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -529,6 +529,10 @@ struct signal_struct {
529#ifdef CONFIG_TASKSTATS 529#ifdef CONFIG_TASKSTATS
530 struct taskstats *stats; 530 struct taskstats *stats;
531#endif 531#endif
532#ifdef CONFIG_AUDIT
533 unsigned audit_tty;
534 struct tty_audit_buf *tty_audit_buf;
535#endif
532}; 536};
533 537
534/* Context switch must be unlocked if interrupts are to be enabled */ 538/* Context switch must be unlocked if interrupts are to be enabled */
diff --git a/include/linux/tty.h b/include/linux/tty.h
index deaba9ec5004..691a1748d9d2 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -178,6 +178,7 @@ struct tty_bufhead {
178#define L_IEXTEN(tty) _L_FLAG((tty),IEXTEN) 178#define L_IEXTEN(tty) _L_FLAG((tty),IEXTEN)
179 179
180struct device; 180struct device;
181struct signal_struct;
181/* 182/*
182 * Where all of the state associated with a tty is kept while the tty 183 * Where all of the state associated with a tty is kept while the tty
183 * is open. Since the termios state should be kept even if the tty 184 * is open. Since the termios state should be kept even if the tty
@@ -310,6 +311,7 @@ extern void tty_hangup(struct tty_struct * tty);
310extern void tty_vhangup(struct tty_struct * tty); 311extern void tty_vhangup(struct tty_struct * tty);
311extern void tty_unhangup(struct file *filp); 312extern void tty_unhangup(struct file *filp);
312extern int tty_hung_up_p(struct file * filp); 313extern int tty_hung_up_p(struct file * filp);
314extern int is_tty(struct file *filp);
313extern void do_SAK(struct tty_struct *tty); 315extern void do_SAK(struct tty_struct *tty);
314extern void __do_SAK(struct tty_struct *tty); 316extern void __do_SAK(struct tty_struct *tty);
315extern void disassociate_ctty(int priv); 317extern void disassociate_ctty(int priv);
@@ -347,6 +349,37 @@ extern int tty_write_lock(struct tty_struct *tty, int ndelay);
347/* n_tty.c */ 349/* n_tty.c */
348extern struct tty_ldisc tty_ldisc_N_TTY; 350extern struct tty_ldisc tty_ldisc_N_TTY;
349 351
352/* tty_audit.c */
353#ifdef CONFIG_AUDIT
354extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
355 size_t size);
356extern void tty_audit_exit(void);
357extern void tty_audit_fork(struct signal_struct *sig);
358extern void tty_audit_push(struct tty_struct *tty);
359extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid);
360extern void tty_audit_opening(void);
361#else
362static inline void tty_audit_add_data(struct tty_struct *tty,
363 unsigned char *data, size_t size)
364{
365}
366static inline void tty_audit_exit(void)
367{
368}
369static inline void tty_audit_fork(struct signal_struct *sig)
370{
371}
372static inline void tty_audit_push(struct tty_struct *tty)
373{
374}
375static inline void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid)
376{
377}
378static inline void tty_audit_opening(void)
379{
380}
381#endif
382
350/* tty_ioctl.c */ 383/* tty_ioctl.c */
351extern int n_tty_ioctl(struct tty_struct * tty, struct file * file, 384extern int n_tty_ioctl(struct tty_struct * tty, struct file * file,
352 unsigned int cmd, unsigned long arg); 385 unsigned int cmd, unsigned long arg);