Audit: add TTY input auditing

Add TTY input auditing, used to audit system administrator's actions. This is required by various security standards such as DCID 6/3 and PCI to provide non-repudiation of administrator's actions and to allow a review of past actions if the administrator seems to overstep their duties or if the system becomes misconfigured for unknown reasons. These requirements do not make it necessary to audit TTY output as well. Compared to an user-space keylogger, this approach records TTY input using the audit subsystem, correlated with other audit events, and it is completely transparent to the user-space application (e.g. the console ioctls still work). TTY input auditing works on a higher level than auditing all system calls within the session, which would produce an overwhelming amount of mostly useless audit events. Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs by process with the attribute is sent to the audit subsystem by the kernel. The audit netlink interface is extended to allow modifying the audit_tty attribute, and to allow sending explanatory audit events from user-space (for example, a shell might send an event containing the final command, after the interactive command-line editing and history expansion is performed, which might be difficult to decipher from the TTY input alone). Because the "audit_tty" attribute is inherited across fork (), it would be set e.g. for sshd restarted within an audited session. To prevent this, the audit_tty attribute is cleared when a process with no open TTY file descriptors (e.g. after daemon startup) opens a TTY. See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a more detailed rationale document for an older version of this patch. [akpm@linux-foundation.org: build fix] Signed-off-by: Miloslav Trmac <mitr@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Paul Fulghum <paulkf@microgate.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Miloslav Trmac <mitr@redhat.com> 2007-07-16 02:40:56 -0400
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-07-16 12:05:47 -0400
commit: 522ed7767e800cff6c650ec64b0ee0677303119c (patch)
tree: f65ecb29f2cf885018d3557f840de3ef4be6ec64 /kernel/audit.c
parent: 4f27c00bf80f122513d3a5be16ed851573164534 (diff)
1 files changed, 88 insertions, 8 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index d13276d41410..5ce8851facf7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -58,6 +58,7 @@
 #include <linux/selinux.h>
 #include <linux/inotify.h>
 #include <linux/freezer.h>
+#include <linux/tty.h>
 #include "audit.h"
@@ -423,6 +424,31 @@ static int kauditd_thread(void *dummy)
        return 0;
 }
+static int audit_prepare_user_tty(pid_t pid, uid_t loginuid)
+{
+        struct task_struct *tsk;
+        int err;
+        read_lock(&tasklist_lock);
+        tsk = find_task_by_pid(pid);
+        err = -ESRCH;
+        if (!tsk)
+                goto out;
+        err = 0;
+        spin_lock_irq(&tsk->sighand->siglock);
+        if (!tsk->signal->audit_tty)
+                err = -EPERM;
+        spin_unlock_irq(&tsk->sighand->siglock);
+        if (err)
+                goto out;
+        tty_audit_push_task(tsk, loginuid);
+out:
+        read_unlock(&tasklist_lock);
+        return err;
+}
 int audit_send_list(void *_dest)
 {
        struct audit_netlink_list *dest = _dest;
@@ -511,6 +537,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
        case AUDIT_DEL:
        case AUDIT_DEL_RULE:
        case AUDIT_SIGNAL_INFO:
+        case AUDIT_TTY_GET:
+        case AUDIT_TTY_SET:
                if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
                        err = -EPERM;
                break;
@@ -622,6 +650,11 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                err = audit_filter_user(&NETLINK_CB(skb), msg_type);
                if (err == 1) {
                        err = 0;
+                        if (msg_type == AUDIT_USER_TTY) {
+                                err = audit_prepare_user_tty(pid, loginuid);
+                                if (err)
+                                        break;
+                        }
                        ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
                        if (ab) {
                                audit_log_format(ab,
@@ -638,8 +671,17 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                                        " subj=%s", ctx);
                                        kfree(ctx);
                                }
-                                audit_log_format(ab, " msg='%.1024s'",
+                                if (msg_type != AUDIT_USER_TTY)
-                                         (char *)data);
+                                        audit_log_format(ab, " msg='%.1024s'",
+                                                         (char *)data);
+                                else {
+                                        int size;
+                                        audit_log_format(ab, " msg=");
+                                        size = nlmsg_len(nlh);
+                                        audit_log_n_untrustedstring(ab, size,
+                                                                    data);
+                                }
                                audit_set_pid(ab, pid);
                                audit_log_end(ab);
                        }
@@ -730,6 +772,45 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                0, 0, sig_data, sizeof(*sig_data) + len);
                kfree(sig_data);
                break;
+        case AUDIT_TTY_GET: {
+                struct audit_tty_status s;
+                struct task_struct *tsk;
+                read_lock(&tasklist_lock);
+                tsk = find_task_by_pid(pid);
+                if (!tsk)
+                        err = -ESRCH;
+                else {
+                        spin_lock_irq(&tsk->sighand->siglock);
+                        s.enabled = tsk->signal->audit_tty != 0;
+                        spin_unlock_irq(&tsk->sighand->siglock);
+                }
+                read_unlock(&tasklist_lock);
+                audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
+                                 &s, sizeof(s));
+                break;
+        }
+        case AUDIT_TTY_SET: {
+                struct audit_tty_status *s;
+                struct task_struct *tsk;
+                if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
+                        return -EINVAL;
+                s = data;
+                if (s->enabled != 0 && s->enabled != 1)
+                        return -EINVAL;
+                read_lock(&tasklist_lock);
+                tsk = find_task_by_pid(pid);
+                if (!tsk)
+                        err = -ESRCH;
+                else {
+                        spin_lock_irq(&tsk->sighand->siglock);
+                        tsk->signal->audit_tty = s->enabled != 0;
+                        spin_unlock_irq(&tsk->sighand->siglock);
+                }
+                read_unlock(&tasklist_lock);
+                break;
+        }
        default:
                err = -EINVAL;
                break;
@@ -1185,7 +1266,7 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
 }
 /**
- * audit_log_n_unstrustedstring - log a string that may contain random characters
+ * audit_log_n_untrustedstring - log a string that may contain random characters
 * @ab: audit_buffer
 * @len: lenth of string (not including trailing null)
 * @string: string to be logged
@@ -1201,25 +1282,24 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
 const char *audit_log_n_untrustedstring(struct audit_buffer *ab, size_t len,
                                        const char *string)
 {
-        const unsigned char *p = string;
+        const unsigned char *p;
-        while (*p) {
+        for (p = string; p < (const unsigned char *)string + len && *p; p++) {
                if (*p == '"' || *p < 0x21 || *p > 0x7f) {
                        audit_log_hex(ab, string, len);
                        return string + len + 1;
                }
-                p++;
        }
        audit_log_n_string(ab, len, string);
        return p + 1;
 }
 /**
- * audit_log_unstrustedstring - log a string that may contain random characters
+ * audit_log_untrustedstring - log a string that may contain random characters
 * @ab: audit_buffer
 * @string: string to be logged
 *
- * Same as audit_log_n_unstrustedstring(), except that strlen is used to
+ * Same as audit_log_n_untrustedstring(), except that strlen is used to
 * determine string length.
 */
 const char *audit_log_untrustedstring(struct audit_buffer *ab, const char *string)
author	Miloslav Trmac <mitr@redhat.com>	2007-07-16 02:40:56 -0400
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-07-16 12:05:47 -0400
commit	522ed7767e800cff6c650ec64b0ee0677303119c (patch)
tree	f65ecb29f2cf885018d3557f840de3ef4be6ec64 /kernel/audit.c
parent	4f27c00bf80f122513d3a5be16ed851573164534 (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index d13276d41410..5ce8851facf7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -58,6 +58,7 @@
58	#include <linux/selinux.h>	58	#include <linux/selinux.h>
59	#include <linux/inotify.h>	59	#include <linux/inotify.h>
60	#include <linux/freezer.h>	60	#include <linux/freezer.h>
		61	#include <linux/tty.h>
61		62
62	#include "audit.h"	63	#include "audit.h"
63		64
@@ -423,6 +424,31 @@ static int kauditd_thread(void *dummy)
423	return 0;	424	return 0;
424	}	425	}
425		426
		427	static int audit_prepare_user_tty(pid_t pid, uid_t loginuid)
		428	{
		429	struct task_struct *tsk;
		430	int err;
		431
		432	read_lock(&tasklist_lock);
		433	tsk = find_task_by_pid(pid);
		434	err = -ESRCH;
		435	if (!tsk)
		436	goto out;
		437	err = 0;
		438
		439	spin_lock_irq(&tsk->sighand->siglock);
		440	if (!tsk->signal->audit_tty)
		441	err = -EPERM;
		442	spin_unlock_irq(&tsk->sighand->siglock);
		443	if (err)
		444	goto out;
		445
		446	tty_audit_push_task(tsk, loginuid);
		447	out:
		448	read_unlock(&tasklist_lock);
		449	return err;
		450	}
		451
426	int audit_send_list(void *_dest)	452	int audit_send_list(void *_dest)
427	{	453	{
428	struct audit_netlink_list *dest = _dest;	454	struct audit_netlink_list *dest = _dest;
@@ -511,6 +537,8 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
511	case AUDIT_DEL:	537	case AUDIT_DEL:
512	case AUDIT_DEL_RULE:	538	case AUDIT_DEL_RULE:
513	case AUDIT_SIGNAL_INFO:	539	case AUDIT_SIGNAL_INFO:
		540	case AUDIT_TTY_GET:
		541	case AUDIT_TTY_SET:
514	if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))	542	if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
515	err = -EPERM;	543	err = -EPERM;
516	break;	544	break;
@@ -622,6 +650,11 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
622	err = audit_filter_user(&NETLINK_CB(skb), msg_type);	650	err = audit_filter_user(&NETLINK_CB(skb), msg_type);
623	if (err == 1) {	651	if (err == 1) {
624	err = 0;	652	err = 0;
		653	if (msg_type == AUDIT_USER_TTY) {
		654	err = audit_prepare_user_tty(pid, loginuid);
		655	if (err)
		656	break;
		657	}
625	ab = audit_log_start(NULL, GFP_KERNEL, msg_type);	658	ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
626	if (ab) {	659	if (ab) {
627	audit_log_format(ab,	660	audit_log_format(ab,
@@ -638,8 +671,17 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
638	" subj=%s", ctx);	671	" subj=%s", ctx);
639	kfree(ctx);	672	kfree(ctx);
640	}	673	}
641	audit_log_format(ab, " msg='%.1024s'",	674	if (msg_type != AUDIT_USER_TTY)
642	(char *)data);	675	audit_log_format(ab, " msg='%.1024s'",
		676	(char *)data);
		677	else {
		678	int size;
		679
		680	audit_log_format(ab, " msg=");
		681	size = nlmsg_len(nlh);
		682	audit_log_n_untrustedstring(ab, size,
		683	data);
		684	}
643	audit_set_pid(ab, pid);	685	audit_set_pid(ab, pid);
644	audit_log_end(ab);	686	audit_log_end(ab);
645	}	687	}
@@ -730,6 +772,45 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
730	0, 0, sig_data, sizeof(*sig_data) + len);	772	0, 0, sig_data, sizeof(*sig_data) + len);
731	kfree(sig_data);	773	kfree(sig_data);
732	break;	774	break;
		775	case AUDIT_TTY_GET: {
		776	struct audit_tty_status s;
		777	struct task_struct *tsk;
		778
		779	read_lock(&tasklist_lock);
		780	tsk = find_task_by_pid(pid);
		781	if (!tsk)
		782	err = -ESRCH;
		783	else {
		784	spin_lock_irq(&tsk->sighand->siglock);
		785	s.enabled = tsk->signal->audit_tty != 0;
		786	spin_unlock_irq(&tsk->sighand->siglock);
		787	}
		788	read_unlock(&tasklist_lock);
		789	audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
		790	&s, sizeof(s));
		791	break;
		792	}
		793	case AUDIT_TTY_SET: {
		794	struct audit_tty_status *s;
		795	struct task_struct *tsk;
		796
		797	if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
		798	return -EINVAL;
		799	s = data;
		800	if (s->enabled != 0 && s->enabled != 1)
		801	return -EINVAL;
		802	read_lock(&tasklist_lock);
		803	tsk = find_task_by_pid(pid);
		804	if (!tsk)
		805	err = -ESRCH;
		806	else {
		807	spin_lock_irq(&tsk->sighand->siglock);
		808	tsk->signal->audit_tty = s->enabled != 0;
		809	spin_unlock_irq(&tsk->sighand->siglock);
		810	}
		811	read_unlock(&tasklist_lock);
		812	break;
		813	}
733	default:	814	default:
734	err = -EINVAL;	815	err = -EINVAL;
735	break;	816	break;
@@ -1185,7 +1266,7 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1185	}	1266	}
1186		1267
1187	/**	1268	/**
1188	* audit_log_n_unstrustedstring - log a string that may contain random characters	1269	* audit_log_n_untrustedstring - log a string that may contain random characters
1189	* @ab: audit_buffer	1270	* @ab: audit_buffer
1190	* @len: lenth of string (not including trailing null)	1271	* @len: lenth of string (not including trailing null)
1191	* @string: string to be logged	1272	* @string: string to be logged
@@ -1201,25 +1282,24 @@ static void audit_log_n_string(struct audit_buffer *ab, size_t slen,
1201	const char audit_log_n_untrustedstring(struct audit_buffer ab, size_t len,	1282	const char audit_log_n_untrustedstring(struct audit_buffer ab, size_t len,
1202	const char *string)	1283	const char *string)
1203	{	1284	{
1204	const unsigned char *p = string;	1285	const unsigned char *p;
1205		1286
1206	while (*p) {	1287	for (p = string; p < (const unsigned char )string + len && p; p++) {
1207	if (p == '"' \|\| p < 0x21 \|\| *p > 0x7f) {	1288	if (p == '"' \|\| p < 0x21 \|\| *p > 0x7f) {
1208	audit_log_hex(ab, string, len);	1289	audit_log_hex(ab, string, len);
1209	return string + len + 1;	1290	return string + len + 1;
1210	}	1291	}
1211	p++;
1212	}	1292	}
1213	audit_log_n_string(ab, len, string);	1293	audit_log_n_string(ab, len, string);
1214	return p + 1;	1294	return p + 1;
1215	}	1295	}
1216		1296
1217	/**	1297	/**
1218	* audit_log_unstrustedstring - log a string that may contain random characters	1298	* audit_log_untrustedstring - log a string that may contain random characters
1219	* @ab: audit_buffer	1299	* @ab: audit_buffer
1220	* @string: string to be logged	1300	* @string: string to be logged
1221	*	1301	*
1222	* Same as audit_log_n_unstrustedstring(), except that strlen is used to	1302	* Same as audit_log_n_untrustedstring(), except that strlen is used to
1223	* determine string length.	1303	* determine string length.
1224	*/	1304	*/
1225	const char audit_log_untrustedstring(struct audit_buffer ab, const char *string)	1305	const char audit_log_untrustedstring(struct audit_buffer ab, const char *string)