From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tracy Reed Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Date: Mon, 11 Mar 2013 12:48:55 -0700 Message-ID: <20130311194855.GQ4555@tracyreed.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r2BJn2Wx021015 for ; Mon, 11 Mar 2013 15:49:03 -0400 Received: from mail.copilotco.com (mail.copilotco.com [216.105.40.123]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r2BJmvM6014357 for ; Mon, 11 Mar 2013 15:49:00 -0400 Received: from tracyreed.org (unknown [10.9.8.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.copilotco.com (Postfix) with ESMTP id 9C13064C45 for ; Mon, 11 Mar 2013 12:48:56 -0700 (PDT) Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I am resurrecting this old thread from last summer because I ran into the s= ame issue and found the thread in the archives via Google. It would be very nic= e if everything could be logged except passwords. Isn't the option for echo back= set in the tty settings? Could the pam module not log characters when the tty is set for no echo back? Or at least log the fact that something was typed but not logged. A typical problematic log line looks like: type=3DTTY msg=3Daudit(1362711728.667:284493): tty pid=3D21810 uid=3D0 auid= =3D500 major=3D136 minor=3D1 comm=3D"passwd" data=3DABCDEF01234569 We can already enable/disable audit based on user with enable=3D or disable= =3D as an argument to the pam module. Could we do something similar with the comma= nd? So if comm=3D"passwd" could we note that something was typed but not log the actual chars? On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote: > Le 12/07/2012 21:41, Thugzclub a =E9crit : > > Florian, > > = > > Did you get and answer for this? > > = > > Regards. > = > Not a single one. Hmm...I thought I sent an answer. The problem from the kernel's perspective= is = that it has no idea what user space is doing. It can't tell a password from = anything else being typed. There is a flag that can be set for the TTY to h= ide = characters. But the issue then becomes that now you have a loophole that a = crafty admin could use to hide what he's really doing. If anyone has ideas on how to improve this, I think we should. -Steve > > On 10 Jul 2012, at 08:29, Florian Crouzat = wrote: > >> Hi, > >> = > >> This is my first message to the list to please be indulgent, I might be > >> mixing concepts here between auditd, selinux and pam. Any guidance much > >> appreciated. > >> = > >> For PCI-DSS, in order to be allowed to have a real root shell instead = of > >> firing sudo all the time (and it's lack of glob/completion), I'm trying > >> to have any commands fired in any kind of root shell logged. (Of course > >> it doesn't protect against malicious root users but that's off-topic). > >> = > >> So, I've been able to achieve that purpose by using : > >> = > >> $ grep tty /etc/pam.d/{su*,system-auth} > >> /etc/pam.d/su:session required pam_tty_audit.so enable=3Droot > >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=3Dr= oot > >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable= =3Droot > >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=3Droot > >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=3D* > >> enable=3Droot > >> = > >> Every keystroke are logged in /var/log/audit/audit.log which is great.= My > >> only issue is that I just realized that prompt passwords are also > >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain > >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-D= SS > >> forbid any kind of storage of passwords, is there a workaround ? Eg: > >> don't log keystrokes when the prompt is "hidden" (inputting a password) > >> = > >> I'd like very much to be able to obtain real root shells for ease of w= ork > >> (sudo -i) my only constraint beeing: log everything but don't store any > >> password. > >> = > >> Thanks, > >> = > >> -- > >> Cheers, > >> Florian Crouzat > = > -- > Linux-audit mailing list > Linux-audit redhat com > https://www.redhat.com/mailman/listinfo/linux-audit -- = Tracy Reed