From: Florian Crouzat <gentoo@floriancrouzat.net>
To: linux-audit@redhat.com
Subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Tue, 10 Jul 2012 09:29:26 +0200 [thread overview]
Message-ID: <4FFBD9D6.2080902@floriancrouzat.net> (raw)
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
passwords, is there a workaround ? Eg: don't log keystrokes when the
prompt is "hidden" (inputting a password)
I'd like very much to be able to obtain real root shells for ease of
work (sudo -i) my only constraint beeing: log everything but don't store
any password.
Thanks,
--
Cheers,
Florian Crouzat
next reply other threads:[~2012-07-10 7:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-10 7:29 Florian Crouzat [this message]
2012-07-12 19:41 ` PCI-DSS: Log every root actions/keystrokes but avoid passwords Thugzclub
2012-07-13 8:14 ` Florian Crouzat
2012-07-13 13:27 ` Steve Grubb
2012-07-13 13:50 ` Florian Crouzat
2012-07-13 14:11 ` Valentin Avram
2012-07-13 17:09 ` EXT :Re: " Boyce, Kevin P (AS)
2012-07-16 8:05 ` Florian Crouzat
2012-07-16 13:20 ` Steve Grubb
2012-07-13 14:23 ` Miloslav Trmac
-- strict thread matches above, loose matches on Subject: below --
2013-03-11 19:48 Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47 ` Richard Guy Briggs
2013-03-12 21:09 ` Steve Grubb
2013-03-13 14:55 ` Richard Guy Briggs
2013-03-13 15:59 ` Steve Grubb
2013-03-13 20:24 ` Tracy Reed
2013-03-12 21:09 ` Tracy Reed
2013-03-13 16:26 ` Richard Guy Briggs
2013-03-13 16:43 ` Miloslav Trmac
2013-03-13 16:53 ` Richard Guy Briggs
2013-03-13 17:37 ` Miloslav Trmac
2013-03-14 14:56 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FFBD9D6.2080902@floriancrouzat.net \
--to=gentoo@floriancrouzat.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.