From: Miloslav Trmac <mitr@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Wed, 13 Mar 2013 13:37:53 -0400 (EDT) [thread overview]
Message-ID: <1940096947.7064038.1363196273110.JavaMail.root@redhat.com> (raw)
In-Reply-To: <20130313165327.GG23106@madcap2.tricolour.ca>
----- Original Message -----
> On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > > > Please do post the patch here when you have it worked out as I
> > > > am
> > > > very likely
> > > > to miss it in the flood of kernel patches when it goes to/from
> > > > Linus.
> > >
> > > Here you go. Given Steve's good question, this control method
> > > may
> > > change.
> >
> > Isn't "icanon" _true_ when the data is echoed? This patch would
> > allow
> > dropping the echoed data (i.e. commands), not the non-echoed data
> > (i.e. passwords).
> > (I might be mistaken and I haven't tested this.)
>
> Apparently not. This is what took me longer than I initially thought
> necessary to get this working, rechecking my pam incantations along the
> way. I went back and actually removed my switch and just isolated
> icanon in the decision to abort the function to confirm how it worked,
> then inverted the test which is when it started working. Eric was right
> to start with.
Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated by bash and not relevant.
Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works). When asking for passwords, the situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well. But that might need a more detailed look.
Mirek
next prev parent reply other threads:[~2013-03-13 17:37 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-11 19:48 PCI-DSS: Log every root actions/keystrokes but avoid passwords Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47 ` Richard Guy Briggs
2013-03-12 21:09 ` Steve Grubb
2013-03-13 14:55 ` Richard Guy Briggs
2013-03-13 15:59 ` Steve Grubb
2013-03-13 20:24 ` Tracy Reed
2013-03-12 21:09 ` Tracy Reed
2013-03-13 16:26 ` Richard Guy Briggs
2013-03-13 16:43 ` Miloslav Trmac
2013-03-13 16:53 ` Richard Guy Briggs
2013-03-13 17:37 ` Miloslav Trmac [this message]
2013-03-14 14:56 ` Richard Guy Briggs
-- strict thread matches above, loose matches on Subject: below --
2012-07-10 7:29 Florian Crouzat
2012-07-12 19:41 ` Thugzclub
2012-07-13 8:14 ` Florian Crouzat
2012-07-13 13:27 ` Steve Grubb
2012-07-13 13:50 ` Florian Crouzat
2012-07-13 14:11 ` Valentin Avram
2012-07-13 14:23 ` Miloslav Trmac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1940096947.7064038.1363196273110.JavaMail.root@redhat.com \
--to=mitr@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox