Hi Paul, > On 10. Dec 2024, at 20:18, Paul Moore <[email protected]> wrote: > > You likely want to look for tty_audit_push() callers, that should help > identify where/how the kernel decides to flush the TTY data. Looking > quickly at an upstream kernel I see the following callers: canonical > mode (as you mentioned), ioctl(TIOCSTI), and the AUDIT_USER_TTY > command/message from userspace.
Thanks for those pointers! We sifted through the code but I still have a question in my head: do you know (or maybe have another pointer) whether it was an explicit decision to not support “\n” scanning in the non-canonical mode? My immediate guess: if this was deliberate then maybe because it would be too much of a performance hit? Nevertheless, the current setting of “flush on full buffer” is counter-intuitively laggy and seems to hit a very high ratio of login sessions that never manage to fill the buffer. Attackers can easily hide their traces within even “small” buffers (we’re guessing it’s a page, so maybe 4k?). If adding support for scanning for “\n” for the audit flush has a general chance of being widely interesting then we’d be willing to take a stab at it. (We’re not experienced kernel developers but are likely dangerous enough to come up with a patch that might be brought to ripeness with some shepherding …) Hugs, Christian -- Christian Theune · [email protected] · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick
