From: Florian Crouzat <gentoo@floriancrouzat.net>
To: linux-audit@redhat.com
Subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Tue, 10 Jul 2012 09:29:26 +0200 [thread overview]
Message-ID: <4FFBD9D6.2080902@floriancrouzat.net> (raw)
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
passwords, is there a workaround ? Eg: don't log keystrokes when the
prompt is "hidden" (inputting a password)
I'd like very much to be able to obtain real root shells for ease of
work (sudo -i) my only constraint beeing: log everything but don't store
any password.
Thanks,
--
Cheers,
Florian Crouzat
next reply other threads:[~2012-07-10 7:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-10 7:29 Florian Crouzat [this message]
2012-07-12 19:41 ` PCI-DSS: Log every root actions/keystrokes but avoid passwords Thugzclub
2012-07-13 8:14 ` Florian Crouzat
2012-07-13 13:27 ` Steve Grubb
2012-07-13 13:50 ` Florian Crouzat
2012-07-13 14:11 ` Valentin Avram
2012-07-13 17:09 ` EXT :Re: " Boyce, Kevin P (AS)
2012-07-16 8:05 ` Florian Crouzat
2012-07-16 13:20 ` Steve Grubb
2012-07-13 14:23 ` Miloslav Trmac
-- strict thread matches above, loose matches on Subject: below --
2013-03-11 19:48 Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47 ` Richard Guy Briggs
2013-03-12 21:09 ` Steve Grubb
2013-03-13 14:55 ` Richard Guy Briggs
2013-03-13 15:59 ` Steve Grubb
2013-03-13 20:24 ` Tracy Reed
2013-03-12 21:09 ` Tracy Reed
2013-03-13 16:26 ` Richard Guy Briggs
2013-03-13 16:43 ` Miloslav Trmac
2013-03-13 16:53 ` Richard Guy Briggs
2013-03-13 17:37 ` Miloslav Trmac
2013-03-14 14:56 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FFBD9D6.2080902@floriancrouzat.net \
--to=gentoo@floriancrouzat.net \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox