Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Tracy Reed <treed@ultraviolet.org>]

I am resurrecting this old thread from last summer because I ran into the same
issue and found the thread in the archives via Google. It would be very nice if
everything could be logged except passwords. Isn't the option for echo back set
in the tty settings? Could the pam module not log characters when the tty is
set for no echo back?  Or at least log the fact that something was typed but
not logged. A typical problematic log line looks like:

type=TTY msg=audit(1362711728.667:284493): tty pid=21810 uid=0 auid=500 major=136 minor=1 comm="passwd" data=ABCDEF01234569

We can already enable/disable audit based on user with enable= or disable= as
an argument to the pam module. Could we do something similar with the command?
So if comm="passwd" could we note that something was typed but not log the
actual chars?

On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
> Le 12/07/2012 21:41, Thugzclub a écrit :
> > Florian,
> > 
> > Did you get and answer for this?
> > 
> > Regards.
> 
> Not a single one.

Hmm...I thought I sent an answer. The problem from the kernel's perspective is 
that it has no idea what user space is doing. It can't tell a password from 
anything else being typed. There is a flag that can be set for the TTY to hide 
characters. But the issue then becomes that now you have a loophole that a 
crafty admin could use to hide what he's really doing.

If anyone has ideas on how to improve this, I think we should.

-Steve


> > On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo floriancrouzat net> 
wrote:
> >> Hi,
> >> 
> >> This is my first message to the list to please be indulgent, I might be
> >> mixing concepts here between auditd, selinux and pam. Any guidance much
> >> appreciated.
> >> 
> >> For PCI-DSS, in order to be allowed to have a real root shell instead of
> >> firing sudo all the time (and it's lack of glob/completion), I'm trying
> >> to have any commands fired in any kind of root shell logged. (Of course
> >> it doesn't protect against malicious root users but that's off-topic).
> >> 
> >> So, I've been able to achieve that purpose by using :
> >> 
> >> $ grep tty /etc/pam.d/{su*,system-auth}
> >> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
> >> enable=root
> >> 
> >> Every keystroke are logged in /var/log/audit/audit.log which is great. My
> >> only issue is that I just realized that prompt passwords are also
> >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
> >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
> >> forbid any kind of storage of passwords, is there a workaround ? Eg:
> >> don't log keystrokes when the prompt is "hidden" (inputting a password)
> >> 
> >> I'd like very much to be able to obtain real root shells for ease of work
> >> (sudo -i) my only constraint beeing: log everything but don't store any
> >> password.
> >> 
> >> Thanks,
> >> 
> >> --
> >> Cheers,
> >> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
Tracy Reed