From: Miloslav Trmac <mitr@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Wed, 13 Mar 2013 13:37:53 -0400 (EDT) [thread overview]
Message-ID: <1940096947.7064038.1363196273110.JavaMail.root@redhat.com> (raw)
In-Reply-To: <20130313165327.GG23106@madcap2.tricolour.ca>
----- Original Message -----
> On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > > > Please do post the patch here when you have it worked out as I
> > > > am
> > > > very likely
> > > > to miss it in the flood of kernel patches when it goes to/from
> > > > Linus.
> > >
> > > Here you go. Given Steve's good question, this control method
> > > may
> > > change.
> >
> > Isn't "icanon" _true_ when the data is echoed? This patch would
> > allow
> > dropping the echoed data (i.e. commands), not the non-echoed data
> > (i.e. passwords).
> > (I might be mistaken and I haven't tested this.)
>
> Apparently not. This is what took me longer than I initially thought
> necessary to get this working, rechecking my pam incantations along the
> way. I went back and actually removed my switch and just isolated
> icanon in the decision to abort the function to confirm how it worked,
> then inverted the test which is when it started working. Eric was right
> to start with.
Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated by bash and not relevant.
Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works). When asking for passwords, the situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well. But that might need a more detailed look.
Mirek
next prev parent reply other threads:[~2013-03-13 17:37 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-11 19:48 PCI-DSS: Log every root actions/keystrokes but avoid passwords Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47 ` Richard Guy Briggs
2013-03-12 21:09 ` Steve Grubb
2013-03-13 14:55 ` Richard Guy Briggs
2013-03-13 15:59 ` Steve Grubb
2013-03-13 20:24 ` Tracy Reed
2013-03-12 21:09 ` Tracy Reed
2013-03-13 16:26 ` Richard Guy Briggs
2013-03-13 16:43 ` Miloslav Trmac
2013-03-13 16:53 ` Richard Guy Briggs
2013-03-13 17:37 ` Miloslav Trmac [this message]
2013-03-14 14:56 ` Richard Guy Briggs
-- strict thread matches above, loose matches on Subject: below --
2012-07-10 7:29 Florian Crouzat
2012-07-12 19:41 ` Thugzclub
2012-07-13 8:14 ` Florian Crouzat
2012-07-13 13:27 ` Steve Grubb
2012-07-13 13:50 ` Florian Crouzat
2012-07-13 14:11 ` Valentin Avram
2012-07-13 14:23 ` Miloslav Trmac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1940096947.7064038.1363196273110.JavaMail.root@redhat.com \
--to=mitr@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.