[PATCH] Audit: Add TTY input auditing

From: Miloslav Trmac
Date: Wed Jun 06 2007 - 05:51:08 EST


From: Miloslav Trmac <mitr@xxxxxxxxxx>

Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless audit events.

Add an "audit_tty" attribute, inherited across fork (). Data read from
TTYs by process with the attribute is sent to the audit subsystem by the
kernel. The audit netlink interface is extended to allow modifying the
audit_tty attribute, and to allow sending explanatory audit events from
user-space (for example, a shell might send an event containing the
final command, after the interactive command-line editing and history
expansion is performed, which might be difficult to decipher from the
TTY input alone).

Because the "audit_tty" attribute is inherited across fork (), it would
be set e.g. for sshd restarted within an audited session. To prevent
this, the audit_tty attribute is cleared when a process with no open TTY
file descriptors (e.g. after daemon startup) opens a TTY.

See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html
for a more detailed rationale document for an older version of this patch.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/