From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Date: Thu, 14 Mar 2013 10:56:28 -0400 Message-ID: <20130314145546.GH23106@madcap2.tricolour.ca> References: <20130313165327.GG23106@madcap2.tricolour.ca> <1940096947.7064038.1363196273110.JavaMail.root@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1940096947.7064038.1363196273110.JavaMail.root@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Miloslav Trmac Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, Mar 13, 2013 at 01:37:53PM -0400, Miloslav Trmac wrote: > ----- Original Message ----- > > On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: > > > ----- Original Message ----- > > > > > Please do post the patch here when you have it worked out as I > > > > > am > > > > > very likely > > > > > to miss it in the flood of kernel patches when it goes to/from > > > > > Linus. > > > > > > > > Here you go. Given Steve's good question, this control method > > > > may > > > > change. > > > > > > Isn't "icanon" _true_ when the data is echoed? This patch would > > > allow > > > dropping the echoed data (i.e. commands), not the non-echoed data > > > (i.e. passwords). > > > (I might be mistaken and I haven't tested this.) > > > > Apparently not. This is what took me longer than I initially thought > > necessary to get this working, rechecking my pam incantations along the > > way. I went back and actually removed my switch and just isolated > > icanon in the decision to abort the function to confirm how it worked, > > then inverted the test which is when it started working. Eric was right > > to start with. > > Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The > latter is generated by bash and not relevant. I was looking at both, but primarily watching AUDIT_TTY for sshd, since that is the pam rule that I was using for testing. > Anyway, I was beig stupid - icanon is enabled even when asking for > passwords (because backspace works). When asking for passwords, the > situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) > names; I have checked agetty(8) and su(1)). We definitely want to > audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I > suspect we want them audited as well. But that might need a more > detailed look. This reply is a bit stale since I started to write it yesterday... Ok, so it sounds like I need to add (or substitute) "&& !L_ECHO(tty)" to that expression. As a sanity check, can I just verify that to test this, I should only need to add something like "session required pam_tty_audit.so disable=* enable=rgb" to /etc/pam.d/sshd and then ssh in to the box as rgb, then issue a command that requires a password such as ssh or su? Ok, I just chatted with Mirek... He pointed me at: https://access.redhat.com/knowledge/solutions/226243 I had set it up for a non-root user to avoid logging the instrumentation console... I'll redo these tests... > Mirek - RGB -- Richard Guy Briggs Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635