Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tracy Reed <treed@ultraviolet.org>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Wed, 13 Mar 2013 13:24:09 -0700	[thread overview]
Message-ID: <20130313202409.GY4555@tracyreed.org> (raw)
In-Reply-To: <20130313145529.GE23106@madcap2.tricolour.ca>

[-- Attachment #1.1: Type: text/plain, Size: 785 bytes --]

On Wed, Mar 13, 2013 at 07:55:29AM PDT, Richard Guy Briggs spake thusly:
> I haven't seen a lot of requests for this feature yet, but it sounds
> like there could be a lot of interest, so it may be worth doing
> correctly, rather than as a quick fix.

As people become more security-aware and implement PCI/HIPAA/FISMA and other
regulatory regimes (which are why I'm here) they will be asking for more
auditing capability, especially in the area of console/tty logging where Linux
has historically been weak. Writing out passwords to logfiles is simply not an
option. We are currently looking at Xceedium for auditing/logging our bastion
hosts but would really prefer to avoid that route if auditd or some other Linux
component could handle that for us.

-- 
Tracy Reed

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

next prev parent reply	other threads:[~2013-03-13 20:24 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-11 19:48 PCI-DSS: Log every root actions/keystrokes but avoid passwords Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47   ` Richard Guy Briggs
2013-03-12 21:09     ` Steve Grubb
2013-03-13 14:55       ` Richard Guy Briggs
2013-03-13 15:59         ` Steve Grubb
2013-03-13 20:24         ` Tracy Reed [this message]
2013-03-12 21:09     ` Tracy Reed
2013-03-13 16:26       ` Richard Guy Briggs
2013-03-13 16:43         ` Miloslav Trmac
2013-03-13 16:53           ` Richard Guy Briggs
2013-03-13 17:37             ` Miloslav Trmac
2013-03-14 14:56               ` Richard Guy Briggs
  -- strict thread matches above, loose matches on Subject: below --
2012-07-10  7:29 Florian Crouzat
2012-07-12 19:41 ` Thugzclub
2012-07-13  8:14   ` Florian Crouzat
2012-07-13 13:27     ` Steve Grubb
2012-07-13 13:50       ` Florian Crouzat
2012-07-13 14:11         ` Valentin Avram
2012-07-13 14:23 ` Miloslav Trmac

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130313202409.GY4555@tracyreed.org \
    --to=treed@ultraviolet.org \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.