From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Crouzat <gentoo@floriancrouzat.net>
Subject: PCI-DSS: Log every root actions/keystrokes  but avoid passwords
Date: Tue, 10 Jul 2012 09:29:26 +0200
Message-ID: <4FFBD9D6.2080902@floriancrouzat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q6A7TWA2027462
	for <linux-audit@redhat.com>; Tue, 10 Jul 2012 03:29:33 -0400
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
	[217.70.183.196])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6A7TUgX022536
	for <linux-audit@redhat.com>; Tue, 10 Jul 2012 03:29:31 -0400
Received: from mfilter14-d.gandi.net (mfilter14-d.gandi.net [217.70.178.142])
	by relay4-d.mail.gandi.net (Postfix) with ESMTP id 6BC22172093
	for <linux-audit@redhat.com>; Tue, 10 Jul 2012 09:29:29 +0200 (CEST)
Received: from relay4-d.mail.gandi.net ([217.70.183.196])
	by mfilter14-d.gandi.net (mfilter14-d.gandi.net [10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id b35L6oPih4PG for <linux-audit@redhat.com>;
	Tue, 10 Jul 2012 09:29:28 +0200 (CEST)
Received: from [192.168.206.146] (lbg31-1-78-245-84-102.fbx.proxad.net
	[78.245.84.102]) (Authenticated sender: gentoo@floriancrouzat.net)
	by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id D6907172080
	for <linux-audit@redhat.com>; Tue, 10 Jul 2012 09:29:27 +0200 (CEST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

This is my first message to the list to please be indulgent, I might be 
mixing concepts here between auditd, selinux and pam. Any guidance much 
appreciated.

For PCI-DSS, in order to be allowed to have a real root shell instead of 
firing sudo all the time (and it's lack of glob/completion), I'm trying 
to have any commands fired in any kind of root shell logged. (Of course 
it doesn't protect against malicious root users but that's off-topic).

So, I've been able to achieve that purpose by using :

$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* 
enable=root

Every keystroke are logged in /var/log/audit/audit.log which is great. 
My only issue is that I just realized that prompt passwords are also 
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if 
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of 
passwords, is there a workaround ? Eg: don't log keystrokes when the 
prompt is "hidden" (inputting a password)

I'd like very much to be able to obtain real root shells for ease of 
work (sudo -i) my only constraint beeing: log everything but don't store 
any password.

Thanks,

-- 
Cheers,
Florian Crouzat