1188695 – BUG: TTY auditing is not auditing ICANON input

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1188695 - BUG: TTY auditing is not auditing ICANON input

Summary: BUG: TTY auditing is not auditing ICANON input

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-03 14:39 UTC by Miloslav Trmač
Modified:	2020-01-17 22:31 UTC (History)
CC List:	8 users (show)
Fixed In Version:	kernel-4.0.5-300.fc22
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-20 23:58:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Miloslav Trmač 2015-02-03 14:39:50 UTC

Version-Release number of selected component (if applicable):
kernel-3.17.7-200.fc20.x86_64

Steps to Reproduce:
1. Add
> session required pam_tty_audit.so disable=* enable=root,mitr
to the end of /etc/pam.d/system-auth-ac
2.
> su - root
> date
> cat > foo
abc
^D
> logout
3. Review the audit log, perhaps through (ausearch -m tty,user_tty -i), and see that the input to (cat) has not been logged.

Additional info:
The input of 
> (stty -icanon; cat; stty icanon)
does get audited.  http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/drivers/tty/n_tty.c?id=32f13521ca68bc624ff6effc77f308a52b038bf0 seems suspicious: it replaces tty_put_user (which invokes TTY auditing) with copy_to_user (which doesn’t).

Comment 5 Fedora Kernel Team 2015-02-24 16:22:27 UTC

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs.

Fedora 20 has now been rebased to 3.18.7-100.fc20.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 21, and are still experiencing this issue, please change the version to Fedora 21.

If you experience different issues, please open a new bug report for those.

Comment 6 Miloslav Trmač 2015-02-24 16:39:58 UTC

Reproduced with 3.18.7-100.fc20.x86_64.

Comment 7 Fedora Kernel Team 2015-04-28 18:31:32 UTC

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs.

Fedora 20 has now been rebased to 3.19.5-100.fc20.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 21, and are still experiencing this issue, please change the version to Fedora 21.

If you experience different issues, please open a new bug report for those.

Comment 8 Miloslav Trmač 2015-04-28 20:01:44 UTC

Reproduced with kernel-3.19.5-100.fc20.x86_64 .

Comment 11 Fedora End Of Life 2015-05-29 13:39:38 UTC

This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 12 Miloslav Trmač 2015-06-02 19:50:06 UTC

Reproduced with kernel-4.0.4-301.fc22.x86_64 (and incidentally, Laura’s patch has been merged into the TTY tree, though I haven’t tested it).

Comment 13 Richard Guy Briggs 2015-06-02 21:33:44 UTC

(In reply to Miloslav Trmač from comment #12)
> Reproduced with kernel-4.0.4-301.fc22.x86_64 (and incidentally, Laura’s
> patch has been merged into the TTY tree, though I haven’t tested it).

That "72586c6 n_tty: Fix auditing support for cannonical mode" patch looks promising. (I've not tested it.)

Comment 14 Laura Abbott 2015-06-03 00:02:18 UTC

I was waiting for it to be approved upstream before pulling it into Fedora. Since it is now in the tty tree I'll bring it in.

Comment 15 Fedora Update System 2015-06-09 12:57:33 UTC

kernel-4.0.5-300.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/kernel-4.0.5-300.fc22

Comment 16 Fedora Update System 2015-06-09 12:59:23 UTC

kernel-4.0.5-200.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/kernel-4.0.5-200.fc21

Comment 17 Fedora Update System 2015-06-10 19:08:56 UTC

Package kernel-4.0.5-200.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-4.0.5-200.fc21'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9704/kernel-4.0.5-200.fc21
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2015-06-20 23:58:23 UTC

kernel-4.0.5-200.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2015-06-21 00:31:32 UTC

kernel-4.0.5-300.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Miloslav Trmač 2015-08-06 20:15:32 UTC

Reproduced a slightly different failure with kernel-4.1.3-201.fc22.x86_64:

For non-icanon input, audit records are created, but the data is all zeroes.  E.g.
> type=TTY msg=audit(1438891995.905:619): tty pid=6797 uid=0 auid=1000 ses=1 major=136 minor=2 comm="cat" data=00000000
And also, I can’t see any USER_TTY records.

Comment 21 Justin M. Forbes 2015-10-20 19:36:21 UTC

*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs.

Fedora 22 has now been rebased to 4.2.3-200.fc22.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23.

If you experience different issues, please open a new bug report for those.

Comment 22 Miloslav Trmač 2015-10-20 19:43:31 UTC

Reproduced with kernel-4.2.3-200.fc22.x86_64:

* non-ICANON input is audited correctly
* ICANON input is audited as all zeroes
* USER_TTY records are not generated.

Comment 23 Miloslav Trmač 2015-10-20 19:54:41 UTC

(In reply to Miloslav Trmač from comment #22)
> * USER_TTY records are not generated.

Never mind this part, that is bug #1273630.

Comment 24 Paul Moore 2015-10-20 21:40:11 UTC

Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.

Note You need to log in before you can comment on or make changes to this bug.