From mboxrd@z Thu Jan  1 00:00:00 1970
From: Miloslav Trmac <mitr@redhat.com>
Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Wed, 13 Mar 2013 13:37:53 -0400 (EDT)
Message-ID: <1940096947.7064038.1363196273110.JavaMail.root@redhat.com>
References: <20130313165327.GG23106@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20130313165327.GG23106@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

----- Original Message -----
> On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > > > Please do post the patch here when you have it worked out as I
> > > > am
> > > > very likely
> > > > to miss it in the flood of kernel patches when it goes to/from
> > > > Linus.
> > > 
> > > Here you go.  Given Steve's good question, this control method
> > > may
> > > change.
> > 
> > Isn't "icanon" _true_ when the data is echoed?  This patch would
> > allow
> > dropping the echoed data (i.e. commands), not the non-echoed data
> > (i.e. passwords).
> > (I might be mistaken and I haven't tested this.)
> 
> Apparently not.  This is what took me longer than I initially thought
> necessary to get this working, rechecking my pam incantations along the
> way.  I went back and actually removed my switch and just isolated
> icanon in the decision to abort the function to confirm how it worked,
> then inverted the test which is when it started working.  Eric was right
> to start with.

Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well?  The latter is generated by bash and not relevant.

Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works).  When asking for passwords, the situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)).  We definitely want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well.  But that might need a more detailed look.
    Mirek