diff options
author | Richard Guy Briggs <rgb@redhat.com> | 2013-05-03 20:03:50 +0200 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2013-04-30 21:31:28 +0200 |
commit | 46e959ea2969cc1668d09b0dc55226946cf781f1 (patch) | |
tree | 40481f42587257039bd7b898c2aec95e1c01656f /include | |
parent | audit: use spin_lock_irqsave/restore in audit tty code (diff) | |
download | linux-46e959ea2969cc1668d09b0dc55226946cf781f1.tar.xz linux-46e959ea2969cc1668d09b0dc55226946cf781f1.zip |
audit: add an option to control logging of passwords with pam_tty_audit
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode to do this while shutting off echo. This pair of features
(icanon and !echo) can be used to avoid logging passwords by audit while still
logging the rest of the command.
Adding a member (log_passwd) to the struct audit_tty_status passed in by
pam_tty_audit allows control of canonical mode without echo per task.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/sched.h | 1 | ||||
-rw-r--r-- | include/uapi/linux/audit.h | 3 |
2 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/sched.h b/include/linux/sched.h index d2112477ff5e..c4689fe92864 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -641,6 +641,7 @@ struct signal_struct { #endif #ifdef CONFIG_AUDIT unsigned audit_tty; + unsigned audit_tty_log_passwd; struct tty_audit_buf *tty_audit_buf; #endif #ifdef CONFIG_CGROUPS diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 9f096f1c0907..c058c24b97ac 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -369,7 +369,8 @@ struct audit_status { }; struct audit_tty_status { - __u32 enabled; /* 1 = enabled, 0 = disabled */ + __u32 enabled; /* 1 = enabled, 0 = disabled */ + __u32 log_passwd; /* 1 = enabled, 0 = disabled */ }; /* audit_rule_data supports filter rules with both integer and string |