From: Steve Grubb <sgrubb@redhat.com>
To: Florian Crouzat <gentoo@floriancrouzat.net>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Mon, 16 Jul 2012 09:20:21 -0400 [thread overview]
Message-ID: <1605914.SDj8K2JqAG@x2> (raw)
In-Reply-To: <5003CB5C.8090009@floriancrouzat.net>
On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote:
> Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
> > Wouldn't another option be to audit the exec of particular executables you
> > are interested in knowing if someone runs? Obviously you won't know what
> > they are typing into text documents and such, but is that really
> > required? Most places don't allow key loggers at all and it sounds like
> > that's what you've got.
> Nop that's not required, what is required is to log every
> root-privileged actions, sudo goes in /var/log/secure,
Sudo also goes into the audit log so that you have a high integrity source for
what it was commanded to do.
> real root shells nowhere. The only solution I found was with pam_audit_tty
> that has the side effect to log every keystroke but I'm open to other
> solutions, creating a list of binary to watch cannot be one.
One possibility is to write a simple event handler that watches for keystroke
logging and does the filtering before writing to its own log file. Remember the
audit system has a realtime interface and a parsing library so that dispatcher
utilities can easily be created.
-Steve
next prev parent reply other threads:[~2012-07-16 13:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-10 7:29 PCI-DSS: Log every root actions/keystrokes but avoid passwords Florian Crouzat
2012-07-12 19:41 ` Thugzclub
2012-07-13 8:14 ` Florian Crouzat
2012-07-13 13:27 ` Steve Grubb
2012-07-13 13:50 ` Florian Crouzat
2012-07-13 14:11 ` Valentin Avram
2012-07-13 17:09 ` EXT :Re: " Boyce, Kevin P (AS)
2012-07-16 8:05 ` Florian Crouzat
2012-07-16 13:20 ` Steve Grubb [this message]
2012-07-13 14:23 ` Miloslav Trmac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1605914.SDj8K2JqAG@x2 \
--to=sgrubb@redhat.com \
--cc=gentoo@floriancrouzat.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox