[Bug-readline] Re: [PATCH] Add support for Linux TTY input auditing

[Miroslav Lichvar]

Hi,

was this patch considered for inclusion? Are there any issues that
needs to be worked on?

Thanks,

On Thu, Dec 06, 2007 at 01:02:18AM +0100, Miloslav Trmac wrote:
> Hello,
> The attached patch adds additional TTY input auditing support to readline.
> 
> TTY input auditing is used to audit system administrator's actions.
> This is required by various security standards such as DCID 6/3 and PCI
> to provide non-repudiation of administrator's actions and to allow a
> review of past actions if the administrator seems to overstep their
> duties or if the system becomes misconfigured for unknown reasons.
> 
> Linux can audit all bytes read from the TTY without help from userspace,
> but readline interprets the bytes and it is often impossible to decode
> strings returned by readline() when only a log of incoming keystrokes is
> available.  The attached patch modifies readline to notify the kernel
> about the exact string returned by readline().  If the kernel is
> currently auditing TTY input, it is added to the audit trail.  If the
> kernel is currently not auditing TTY input, the process is not allowed
> to submit advisory audit events, or the kernel does not support TTY
> auditing at all, the error is silently ignored.
> 
> If the patch is accepted, please make sure it is included in the
> readline copy included in bash as well.
> 
> Thank you,
>       Mirek

> diff -urN --exclude build readline/config.h.in readline-5.2/config.h.in
> --- readline/config.h.in      2006-09-12 22:02:00.000000000 +0200
> +++ readline-5.2/config.h.in  2007-12-06 00:51:01.000000000 +0100
> @@ -23,6 +23,9 @@
>  
>  #undef __CHAR_UNSIGNED__
>  
> +/* Define if you have <linux/audit.h> and it defines AUDIT_USER_TTY */
> +#undef HAVE_DECL_AUDIT_USER_TTY
> +
>  /* Define if the `S_IS*' macros in <sys/stat.h> do not work properly.  */
>  #undef STAT_MACROS_BROKEN
>  
> diff -urN --exclude build readline/configure.in readline-5.2/configure.in
> --- readline/configure.in     2006-09-28 18:04:24.000000000 +0200
> +++ readline-5.2/configure.in 2007-12-06 00:46:27.000000000 +0100
> @@ -158,6 +158,8 @@
>  #endif
>  ]])
>  
> +AC_CHECK_DECLS([AUDIT_USER_TTY],,, [[#include <linux/audit.h>]])
> +
>  BASH_SYS_SIGNAL_VINTAGE
>  BASH_SYS_REINSTALL_SIGHANDLERS
>  
> diff -urN --exclude build readline/readline.c readline-5.2/readline.c
> --- readline/readline.c       2006-08-16 21:00:36.000000000 +0200
> +++ readline-5.2/readline.c   2007-12-06 00:51:15.000000000 +0100
> @@ -55,6 +55,12 @@
>  extern int errno;
>  #endif /* !errno */
>  
> +#if defined (HAVE_DECL_AUDIT_USER_TTY)
> +#  include <sys/socket.h>
> +#  include <linux/audit.h>
> +#  include <linux/netlink.h>
> +#endif
> +
>  /* System-specific feature definitions and include files. */
>  #include "rldefs.h"
>  #include "rlmbutil.h"
> @@ -292,7 +298,47 @@
>    rl_visible_prompt_length = rl_expand_prompt (rl_prompt);
>    return 0;
>  }
> -  
> +
> +#if defined (HAVE_DECL_AUDIT_USER_TTY)
> +/* Report STRING to the audit system. */
> +static void
> +audit_tty (char *string)
> +{
> +  struct sockaddr_nl addr;
> +  struct msghdr msg;
> +  struct nlmsghdr nlm;
> +  struct iovec iov[2];
> +  size_t size;
> +  int fd;
> +
> +  size = strlen (string) + 1;
> +  fd = socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
> +  if (fd < 0)
> +    return;
> +  nlm.nlmsg_len = NLMSG_LENGTH (size);
> +  nlm.nlmsg_type = AUDIT_USER_TTY;
> +  nlm.nlmsg_flags = NLM_F_REQUEST;
> +  nlm.nlmsg_seq = 0;
> +  nlm.nlmsg_pid = 0;
> +  iov[0].iov_base = &nlm;
> +  iov[0].iov_len = sizeof (nlm);
> +  iov[1].iov_base = string;
> +  iov[1].iov_len = size;
> +  addr.nl_family = AF_NETLINK;
> +  addr.nl_pid = 0;
> +  addr.nl_groups = 0;
> +  msg.msg_name = &addr;
> +  msg.msg_namelen = sizeof (addr);
> +  msg.msg_iov = iov;
> +  msg.msg_iovlen = 2;
> +  msg.msg_control = NULL;
> +  msg.msg_controllen = 0;
> +  msg.msg_flags = 0;
> +  (void)sendmsg (fd, &msg, 0);
> +  close (fd);
> +}
> +#endif
> +
>  /* Read a line of input.  Prompt with PROMPT.  An empty PROMPT means
>     none.  A return value of NULL means that EOF was encountered. */
>  char *
> @@ -326,6 +372,11 @@
>    rl_clear_signals ();
>  #endif
>  
> +#if defined (HAVE_DECL_AUDIT_USER_TTY)
> +  if (value != NULL)
> +    audit_tty (value);
> +#endif
> +
>    return (value);
>  }
>  


-- 
Miroslav Lichvar