[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] pam_tty_audit: add an option to control logging of passwords: log_passwd



Most commands are entered one line at a time and processed as complete lines
in non-canonical mode.  Commands that interactively require a password, enter
canonical mode with echo set to off to do this.  This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command.

Adding a member to the struct audit_tty_status passed in by pam_tty_audit
allows control of logging passwords per task.

This can be used with older kernels since it checks for the needed structure
members at compile time.

Signed-off-by: Richard Guy Briggs <rgb redhat com>
---
 configure.in                              |   15 +++++++++++++++
 modules/pam_tty_audit/Makefile.am         |    3 +++
 modules/pam_tty_audit/pam_tty_audit.8.xml |   15 +++++++++++++++
 modules/pam_tty_audit/pam_tty_audit.c     |   23 ++++++++++++++++++++++-
 4 files changed, 55 insertions(+), 1 deletions(-)

diff --git a/configure.in b/configure.in
index 515b301..02963a8 100644
--- a/configure.in
+++ b/configure.in
@@ -386,6 +386,19 @@ if test x"$WITH_LIBAUDIT" != xno ; then
         fi
         if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
             AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+            AC_CHECK_MEMBER(
+                            [struct audit_tty_status.log_passwd],
+                            [
+                             HAVE_AUDIT_TTY_STATUS_LOG_PASSWD=yes
+                             AC_DEFINE([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD], 1, [Define to 1 if struct audit_tty_status.log_passwd exists.])
+                            ],
+                            [
+                             HAVE_AUDIT_TTY_STATUS_LOG_PASSWD=""
+                             AC_MSG_WARN([The struct audit_tty_status.log_passwd member is needed for the log_passwd option.  The log_passwd option is disabled.])
+                            ],
+                            [[#include <libaudit.h>]]
+                            )
         fi
 else
 	LIBAUDIT=""
@@ -393,6 +406,8 @@ fi
 AC_SUBST(LIBAUDIT)
 AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS],
 	       [test "x$HAVE_AUDIT_TTY_STATUS" = xyes])
+AM_CONDITIONAL([HAVE_AUDIT_TTY_STATUS_LOG_PASSWD],
+	       [test "x$HAVE_AUDIT_TTY_STATUS_LOG_PASSWD" = xyes])
 
 AC_CHECK_HEADERS(xcrypt.h crypt.h)
 AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
diff --git a/modules/pam_tty_audit/Makefile.am b/modules/pam_tty_audit/Makefile.am
index 6378483..ee897e7 100644
--- a/modules/pam_tty_audit/Makefile.am
+++ b/modules/pam_tty_audit/Makefile.am
@@ -16,6 +16,9 @@ XMLS = README.xml pam_tty_audit.8.xml
 securelibdir = $(SECUREDIR)
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+if HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+  AM_CFLAGS += -DHAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+endif
 AM_LDFLAGS = -no-undefined -avoid-version -module
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 447b845..552353c 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -77,6 +77,19 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <option>log_passwd</option>
+        </term>
+        <listitem>
+          <para>
+	   Log keystrokes when ECHO mode is off but ICANON mode is active.
+	   This is the mode in which the tty is placed during password entry.
+	   By default, passwords are not logged.  This option may not be
+	   available on older kernels (3.9?).
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -161,6 +174,8 @@ session	required pam_tty_audit.so disable=* enable=root
       <para>
         pam_tty_audit was written by Miloslav Trma&ccaron;
 	&lt;mitr redhat com&gt;.
+        The log_passwd option was added by Richard Guy Briggs
+        &lt;rgb redhat com&gt;.
       </para>
   </refsect1>
 
diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
index 080f495..b8f3821 100644
--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
   struct audit_tty_status *old_status, new_status;
   const char *user;
   int i, fd, open_only;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+  int log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
 
   (void)flags;
 
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
 
   command = CMD_NONE;
   open_only = 0;
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+  log_passwd = 0;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
   for (i = 0; i < argc; i++)
     {
       if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	}
       else if (strcmp (argv[i], "open_only") == 0)
 	open_only = 1;
+      else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+        log_passwd = 1;
+#else /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+        pam_syslog (pamh, LOG_WARNING,
+                    "pam_tty_audit: The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available.  Please upgrade your kernel."
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
       else
 	{
 	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
     }
 
   new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
-  if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+  new_status.log_passwd = log_passwd;
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+  if (old_status->enabled == new_status.enabled
+#ifdef HAVE_AUDIT_TTY_STATUS_LOG_PASSWD
+      && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_AUDIT_TTY_STATUS_LOG_PASSWD */
+     )
     {
       open_only = 1; /* to clean up old_status */
       goto ok_fd;
-- 
1.7.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]