[Bug-readline] [PATCH] Add support for Linux TTY input auditing

[Miloslav Trmac]

Hello,
The attached patch adds additional TTY input auditing support to readline.

TTY input auditing is used to audit system administrator's actions.
This is required by various security standards such as DCID 6/3 and PCI
to provide non-repudiation of administrator's actions and to allow a
review of past actions if the administrator seems to overstep their
duties or if the system becomes misconfigured for unknown reasons.

Linux can audit all bytes read from the TTY without help from userspace,
but readline interprets the bytes and it is often impossible to decode
strings returned by readline() when only a log of incoming keystrokes is
available.  The attached patch modifies readline to notify the kernel
about the exact string returned by readline().  If the kernel is
currently auditing TTY input, it is added to the audit trail.  If the
kernel is currently not auditing TTY input, the process is not allowed
to submit advisory audit events, or the kernel does not support TTY
auditing at all, the error is silently ignored.

If the patch is accepted, please make sure it is included in the
readline copy included in bash as well.

Thank you,
        Mirek

diff -urN --exclude build readline/config.h.in readline-5.2/config.h.in
--- readline/config.h.in        2006-09-12 22:02:00.000000000 +0200
+++ readline-5.2/config.h.in    2007-12-06 00:51:01.000000000 +0100
@@ -23,6 +23,9 @@
 
 #undef __CHAR_UNSIGNED__
 
+/* Define if you have <linux/audit.h> and it defines AUDIT_USER_TTY */
+#undef HAVE_DECL_AUDIT_USER_TTY
+
 /* Define if the `S_IS*' macros in <sys/stat.h> do not work properly.  */
 #undef STAT_MACROS_BROKEN
 
diff -urN --exclude build readline/configure.in readline-5.2/configure.in
--- readline/configure.in       2006-09-28 18:04:24.000000000 +0200
+++ readline-5.2/configure.in   2007-12-06 00:46:27.000000000 +0100
@@ -158,6 +158,8 @@
 #endif
 ]])
 
+AC_CHECK_DECLS([AUDIT_USER_TTY],,, [[#include <linux/audit.h>]])
+
 BASH_SYS_SIGNAL_VINTAGE
 BASH_SYS_REINSTALL_SIGHANDLERS
 
diff -urN --exclude build readline/readline.c readline-5.2/readline.c
--- readline/readline.c 2006-08-16 21:00:36.000000000 +0200
+++ readline-5.2/readline.c     2007-12-06 00:51:15.000000000 +0100
@@ -55,6 +55,12 @@
 extern int errno;
 #endif /* !errno */
 
+#if defined (HAVE_DECL_AUDIT_USER_TTY)
+#  include <sys/socket.h>
+#  include <linux/audit.h>
+#  include <linux/netlink.h>
+#endif
+
 /* System-specific feature definitions and include files. */
 #include "rldefs.h"
 #include "rlmbutil.h"
@@ -292,7 +298,47 @@
   rl_visible_prompt_length = rl_expand_prompt (rl_prompt);
   return 0;
 }
-  
+
+#if defined (HAVE_DECL_AUDIT_USER_TTY)
+/* Report STRING to the audit system. */
+static void
+audit_tty (char *string)
+{
+  struct sockaddr_nl addr;
+  struct msghdr msg;
+  struct nlmsghdr nlm;
+  struct iovec iov[2];
+  size_t size;
+  int fd;
+
+  size = strlen (string) + 1;
+  fd = socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+  if (fd < 0)
+    return;
+  nlm.nlmsg_len = NLMSG_LENGTH (size);
+  nlm.nlmsg_type = AUDIT_USER_TTY;
+  nlm.nlmsg_flags = NLM_F_REQUEST;
+  nlm.nlmsg_seq = 0;
+  nlm.nlmsg_pid = 0;
+  iov[0].iov_base = &nlm;
+  iov[0].iov_len = sizeof (nlm);
+  iov[1].iov_base = string;
+  iov[1].iov_len = size;
+  addr.nl_family = AF_NETLINK;
+  addr.nl_pid = 0;
+  addr.nl_groups = 0;
+  msg.msg_name = &addr;
+  msg.msg_namelen = sizeof (addr);
+  msg.msg_iov = iov;
+  msg.msg_iovlen = 2;
+  msg.msg_control = NULL;
+  msg.msg_controllen = 0;
+  msg.msg_flags = 0;
+  (void)sendmsg (fd, &msg, 0);
+  close (fd);
+}
+#endif
+
 /* Read a line of input.  Prompt with PROMPT.  An empty PROMPT means
    none.  A return value of NULL means that EOF was encountered. */
 char *
@@ -326,6 +372,11 @@
   rl_clear_signals ();
 #endif
 
+#if defined (HAVE_DECL_AUDIT_USER_TTY)
+  if (value != NULL)
+    audit_tty (value);
+#endif
+
   return (value);
 }