From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Crouzat <gentoo@floriancrouzat.net>
Subject: Re: PCI-DSS: Log every root actions/keystrokes  but avoid passwords
Date: Fri, 13 Jul 2012 10:14:59 +0200
Message-ID: <4FFFD903.7020103@floriancrouzat.net>
References: <4FFBD9D6.2080902@floriancrouzat.net>
	<67597D99-9688-497A-9CE8-572B3E25E6FB@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com
	[10.5.110.20])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q6D8F702011831
	for <linux-audit@redhat.com>; Fri, 13 Jul 2012 04:15:07 -0400
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
	[217.70.183.195])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6D8F5MU030257
	for <linux-audit@redhat.com>; Fri, 13 Jul 2012 04:15:05 -0400
In-Reply-To: <67597D99-9688-497A-9CE8-572B3E25E6FB@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Thugzclub <thugzclub@googlemail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Le 12/07/2012 21:41, Thugzclub a =E9crit :
> Florian,
>
> Did you get and answer for this?
>
> Regards.
>

Not a single one.

Florian.


>
> On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> wro=
te:
>
>> Hi,
>>
>> This is my first message to the list to please be indulgent, I might be =
mixing concepts here between auditd, selinux and pam. Any guidance much app=
reciated.
>>
>> For PCI-DSS, in order to be allowed to have a real root shell instead of=
 firing sudo all the time (and it's lack of glob/completion), I'm trying to=
 have any commands fired in any kind of root shell logged. (Of course it do=
esn't protect against malicious root users but that's off-topic).
>>
>> So, I've been able to achieve that purpose by using :
>>
>> $ grep tty /etc/pam.d/{su*,system-auth}
>> /etc/pam.d/su:session required pam_tty_audit.so enable=3Droot
>> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=3Droot
>> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=3Dr=
oot
>> /etc/pam.d/su-l:session required pam_tty_audit.so enable=3Droot
>> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=3D* ena=
ble=3Droot
>>
>> Every keystroke are logged in /var/log/audit/audit.log which is great. M=
y only issue is that I just realized that prompt passwords are also logged,=
 eg MySQL password or Spacewalk, etc.
>> I can read them in plain text when doing "aureport --tty -if /var/log/au=
dit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there=
 a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (input=
ting a password)
>>
>> I'd like very much to be able to obtain real root shells for ease of wor=
k (sudo -i) my only constraint beeing: log everything but don't store any p=
assword.
>>
>> Thanks,
>>
>> --
>> Cheers,
>> Florian Crouzat