Re: [PATCH, v2] Audit: Add TTY input auditing
Andrew Morton napsal(a): > On Fri, 08 Jun 2007 06:23:23 +0200 Miloslav Trmac <[EMAIL PROTECTED]> wrote: >> diff --git a/include/linux/sched.h b/include/linux/sched.h >> index d58e74b..d9d734c 100644 >> --- a/include/linux/sched.h >> +++ b/include/linux/sched.h >> @@ -506,6 +506,8 @@ struct signal_struct { >> #ifdef CONFIG_TASKSTATS >> struct taskstats *stats; >> #endif >> +unsigned audit_tty; >> +struct tty_audit_buf *tty_audit_buf; >> }; > > Can we ifdef these? Sure, here's an incremental patch. Mirek From: Miloslav Trmac <[EMAIL PROTECTED]> Only add TTY audit state to struct signal_struct if CONFIG_AUDIT. Move the copying of TTY audit state on fork () to tty_audit.c. Signed-off-by: Miloslav Trmac <[EMAIL PROTECTED]> --- drivers/char/tty_audit.c | 13 + include/linux/sched.h|2 ++ include/linux/tty.h |5 + kernel/exit.c|2 +- kernel/fork.c|6 ++ 5 files changed, 23 insertions(+), 5 deletions(-) diff -u b/drivers/char/tty_audit.c b/drivers/char/tty_audit.c --- b/drivers/char/tty_audit.c +++ b/drivers/char/tty_audit.c @@ -134,6 +134,19 @@ } /** + * tty_audit_fork - Copy TTY audit state for a new task + * + * Set up TTY audit state in @sig from current. @sig needs no locking. + */ +void tty_audit_fork(struct signal_struct *sig) +{ + spin_lock_irq(>sighand->siglock); + sig->audit_tty = current->signal->audit_tty; + spin_unlock_irq(>sighand->siglock); + sig->tty_audit_buf = NULL; +} + +/** * tty_audit_push_task - Flush task's pending audit data */ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid) diff -u b/include/linux/sched.h b/include/linux/sched.h --- b/include/linux/sched.h +++ b/include/linux/sched.h @@ -506,8 +506,10 @@ #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif +#ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; +#endif }; /* Context switch must be unlocked if interrupts are to be enabled */ diff -u b/include/linux/tty.h b/include/linux/tty.h --- b/include/linux/tty.h +++ b/include/linux/tty.h @@ -178,6 +178,7 @@ #define L_IEXTEN(tty) _L_FLAG((tty),IEXTEN) struct device; +struct signal_struct; /* * Where all of the state associated with a tty is kept while the tty * is open. Since the termios state should be kept even if the tty @@ -347,6 +348,7 @@ extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, size_t size); extern void tty_audit_exit(void); +extern void tty_audit_fork(struct signal_struct *sig); extern void tty_audit_push(struct tty_struct *tty); extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid); extern void tty_audit_opening(void); @@ -358,6 +360,9 @@ static inline void tty_audit_exit(void) { } +static inline void tty_audit_fork(struct signal_struct *sig) +{ +} static inline void tty_audit_push(struct tty_struct *tty) { } diff -u b/kernel/exit.c b/kernel/exit.c --- b/kernel/exit.c +++ b/kernel/exit.c @@ -922,7 +922,7 @@ if (unlikely(tsk->compat_robust_list)) compat_exit_robust_list(tsk); #endif - if (group_dead && unlikely(tsk->signal->tty_audit_buf)) + if (group_dead) tty_audit_exit(); if (unlikely(tsk->audit_context)) audit_free(tsk); diff -u b/kernel/fork.c b/kernel/fork.c --- b/kernel/fork.c +++ b/kernel/fork.c @@ -49,6 +49,7 @@ #include #include #include +#include #include #include @@ -897,10 +898,7 @@ } acct_init_pacct(>pacct); - spin_lock_irq(>sighand->siglock); - sig->audit_tty = current->signal->audit_tty; - spin_unlock_irq(>sighand->siglock); - sig->tty_audit_buf = NULL; + tty_audit_fork(sig); return 0; }
Re: [PATCH, v2] Audit: Add TTY input auditing
On Fri, 08 Jun 2007 06:23:23 +0200 Miloslav Trmac <[EMAIL PROTECTED]> wrote: > From: Miloslav Trmac <[EMAIL PROTECTED]> > > Add TTY input auditing, used to audit system administrator's actions. > TTY input auditing works on a higher level than auditing all system > calls within the session, which would produce an overwhelming amount of > mostly useless audit events. > > Add an "audit_tty" attribute, inherited across fork (). Data read from > TTYs by process with the attribute is sent to the audit subsystem by the > kernel. The audit netlink interface is extended to allow modifying the > audit_tty attribute, and to allow sending explanatory audit events from > user-space (for example, a shell might send an event containing the > final command, after the interactive command-line editing and history > expansion is performed, which might be difficult to decipher from the > TTY input alone). > > Because the "audit_tty" attribute is inherited across fork (), it would > be set e.g. for sshd restarted within an audited session. To prevent > this, the audit_tty attribute is cleared when a process with no open TTY > file descriptors (e.g. after daemon startup) opens a TTY. > > See https://www.redhat.com/archives/linux-audit/2007-June/msg0.html > for a more detailed rationale document for an older version of this patch. > > --- > Changes since the previous patch: > * use spin_lock_irq() for siglock > * add an is_tty() function instead of checking f_op->read from n_tty.c; > handle hung TTYs > * replace the audit_tty bit field by a whole word to avoid the risk of > incorrect locking > * move most new code from n_tty.c to a separate file > * fix coding style violations > * fix compilation with !CONFIG_AUDIT > > diff --git a/include/linux/sched.h b/include/linux/sched.h > index d58e74b..d9d734c 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -506,6 +506,8 @@ struct signal_struct { > #ifdef CONFIG_TASKSTATS > struct taskstats *stats; > #endif > + unsigned audit_tty; > + struct tty_audit_buf *tty_audit_buf; > }; Can we ifdef these? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH, v2] Audit: Add TTY input auditing
On Fri, 08 Jun 2007 06:23:23 +0200 Miloslav Trmac [EMAIL PROTECTED] wrote: From: Miloslav Trmac [EMAIL PROTECTED] Add TTY input auditing, used to audit system administrator's actions. TTY input auditing works on a higher level than auditing all system calls within the session, which would produce an overwhelming amount of mostly useless audit events. Add an audit_tty attribute, inherited across fork (). Data read from TTYs by process with the attribute is sent to the audit subsystem by the kernel. The audit netlink interface is extended to allow modifying the audit_tty attribute, and to allow sending explanatory audit events from user-space (for example, a shell might send an event containing the final command, after the interactive command-line editing and history expansion is performed, which might be difficult to decipher from the TTY input alone). Because the audit_tty attribute is inherited across fork (), it would be set e.g. for sshd restarted within an audited session. To prevent this, the audit_tty attribute is cleared when a process with no open TTY file descriptors (e.g. after daemon startup) opens a TTY. See https://www.redhat.com/archives/linux-audit/2007-June/msg0.html for a more detailed rationale document for an older version of this patch. --- Changes since the previous patch: * use spin_lock_irq() for siglock * add an is_tty() function instead of checking f_op-read from n_tty.c; handle hung TTYs * replace the audit_tty bit field by a whole word to avoid the risk of incorrect locking * move most new code from n_tty.c to a separate file * fix coding style violations * fix compilation with !CONFIG_AUDIT diff --git a/include/linux/sched.h b/include/linux/sched.h index d58e74b..d9d734c 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -506,6 +506,8 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif + unsigned audit_tty; + struct tty_audit_buf *tty_audit_buf; }; Can we ifdef these? - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH, v2] Audit: Add TTY input auditing
Andrew Morton napsal(a): On Fri, 08 Jun 2007 06:23:23 +0200 Miloslav Trmac [EMAIL PROTECTED] wrote: diff --git a/include/linux/sched.h b/include/linux/sched.h index d58e74b..d9d734c 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -506,6 +506,8 @@ struct signal_struct { #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif +unsigned audit_tty; +struct tty_audit_buf *tty_audit_buf; }; Can we ifdef these? Sure, here's an incremental patch. Mirek From: Miloslav Trmac [EMAIL PROTECTED] Only add TTY audit state to struct signal_struct if CONFIG_AUDIT. Move the copying of TTY audit state on fork () to tty_audit.c. Signed-off-by: Miloslav Trmac [EMAIL PROTECTED] --- drivers/char/tty_audit.c | 13 + include/linux/sched.h|2 ++ include/linux/tty.h |5 + kernel/exit.c|2 +- kernel/fork.c|6 ++ 5 files changed, 23 insertions(+), 5 deletions(-) diff -u b/drivers/char/tty_audit.c b/drivers/char/tty_audit.c --- b/drivers/char/tty_audit.c +++ b/drivers/char/tty_audit.c @@ -134,6 +134,19 @@ } /** + * tty_audit_fork - Copy TTY audit state for a new task + * + * Set up TTY audit state in @sig from current. @sig needs no locking. + */ +void tty_audit_fork(struct signal_struct *sig) +{ + spin_lock_irq(current-sighand-siglock); + sig-audit_tty = current-signal-audit_tty; + spin_unlock_irq(current-sighand-siglock); + sig-tty_audit_buf = NULL; +} + +/** * tty_audit_push_task - Flush task's pending audit data */ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid) diff -u b/include/linux/sched.h b/include/linux/sched.h --- b/include/linux/sched.h +++ b/include/linux/sched.h @@ -506,8 +506,10 @@ #ifdef CONFIG_TASKSTATS struct taskstats *stats; #endif +#ifdef CONFIG_AUDIT unsigned audit_tty; struct tty_audit_buf *tty_audit_buf; +#endif }; /* Context switch must be unlocked if interrupts are to be enabled */ diff -u b/include/linux/tty.h b/include/linux/tty.h --- b/include/linux/tty.h +++ b/include/linux/tty.h @@ -178,6 +178,7 @@ #define L_IEXTEN(tty) _L_FLAG((tty),IEXTEN) struct device; +struct signal_struct; /* * Where all of the state associated with a tty is kept while the tty * is open. Since the termios state should be kept even if the tty @@ -347,6 +348,7 @@ extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, size_t size); extern void tty_audit_exit(void); +extern void tty_audit_fork(struct signal_struct *sig); extern void tty_audit_push(struct tty_struct *tty); extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid); extern void tty_audit_opening(void); @@ -358,6 +360,9 @@ static inline void tty_audit_exit(void) { } +static inline void tty_audit_fork(struct signal_struct *sig) +{ +} static inline void tty_audit_push(struct tty_struct *tty) { } diff -u b/kernel/exit.c b/kernel/exit.c --- b/kernel/exit.c +++ b/kernel/exit.c @@ -922,7 +922,7 @@ if (unlikely(tsk-compat_robust_list)) compat_exit_robust_list(tsk); #endif - if (group_dead unlikely(tsk-signal-tty_audit_buf)) + if (group_dead) tty_audit_exit(); if (unlikely(tsk-audit_context)) audit_free(tsk); diff -u b/kernel/fork.c b/kernel/fork.c --- b/kernel/fork.c +++ b/kernel/fork.c @@ -49,6 +49,7 @@ #include linux/delayacct.h #include linux/taskstats_kern.h #include linux/random.h +#include linux/tty.h #include asm/pgtable.h #include asm/pgalloc.h @@ -897,10 +898,7 @@ } acct_init_pacct(sig-pacct); - spin_lock_irq(current-sighand-siglock); - sig-audit_tty = current-signal-audit_tty; - spin_unlock_irq(current-sighand-siglock); - sig-tty_audit_buf = NULL; + tty_audit_fork(sig); return 0; }