Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs <rgb@redhat.com>]

On Wed, Mar 13, 2013 at 01:37:53PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > > ----- Original Message -----
> > > > > Please do post the patch here when you have it worked out as I
> > > > > am
> > > > > very likely
> > > > > to miss it in the flood of kernel patches when it goes to/from
> > > > > Linus.
> > > > 
> > > > Here you go.  Given Steve's good question, this control method
> > > > may
> > > > change.
> > > 
> > > Isn't "icanon" _true_ when the data is echoed?  This patch would
> > > allow
> > > dropping the echoed data (i.e. commands), not the non-echoed data
> > > (i.e. passwords).
> > > (I might be mistaken and I haven't tested this.)
> > 
> > Apparently not.  This is what took me longer than I initially thought
> > necessary to get this working, rechecking my pam incantations along the
> > way.  I went back and actually removed my switch and just isolated
> > icanon in the decision to abort the function to confirm how it worked,
> > then inverted the test which is when it started working.  Eric was right
> > to start with.
> 
> Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well?  The
> latter is generated by bash and not relevant.

I was looking at both, but primarily watching AUDIT_TTY for sshd, since
that is the pam rule that I was using for testing.

> Anyway, I was beig stupid - icanon is enabled even when asking for
> passwords (because backspace works).  When asking for passwords, the
> situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p)
> names; I have checked agetty(8) and su(1)).  We definitely want to
> audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I
> suspect we want them audited as well.  But that might need a more
> detailed look.

This reply is a bit stale since I started to write it yesterday...

Ok, so it sounds like I need to add (or substitute) "&& !L_ECHO(tty)" to
that expression.

As a sanity check, can I just verify that to test this, I should only
need to add something like "session required pam_tty_audit.so disable=*
enable=rgb" to /etc/pam.d/sshd and then ssh in to the box as rgb, then
issue a command that requires a password such as ssh or su?

Ok, I just chatted with Mirek...  He pointed me at:
	https://access.redhat.com/knowledge/solutions/226243

I had set it up for a non-root user to avoid logging the instrumentation
console...

I'll redo these tests...

>     Mirek

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635