From: Florian Crouzat <gentoo@floriancrouzat.net>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Thugzclub <thugzclub@googlemail.com>, linux-audit@redhat.com
Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Date: Fri, 13 Jul 2012 15:50:44 +0200 [thread overview]
Message-ID: <500027B4.9040104@floriancrouzat.net> (raw)
In-Reply-To: <6455125.Mmrnxe7ddi@x2>
Le 13/07/2012 15:27, Steve Grubb a écrit :
> Hmm...I thought I sent an answer. The problem from the kernel's perspective is
> that it has no idea what user space is doing. It can't tell a password from
> anything else being typed. There is a flag that can be set for the TTY to hide
> characters. But the issue then becomes that now you have a loophole that a
> crafty admin could use to hide what he's really doing.
>
> If anyone has ideas on how to improve this, I think we should.
>
> -Steve
Yeah, I was afraid of that...
At least, thanks for clarifying.
I guess I'll stick with stating: don't fire any real root shell to all
my sysadmins in the PCI-DSS scope. (as it's impossible to completely
forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su *
but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there
is NOEXEC in sudo but then you can't do anything except reading...)
Anyway, I'm getting away of the real matter, avoiding to audit-log
passwords keystrokes.
--
Cheers,
Florian Crouzat
next prev parent reply other threads:[~2012-07-13 13:50 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-10 7:29 PCI-DSS: Log every root actions/keystrokes but avoid passwords Florian Crouzat
2012-07-12 19:41 ` Thugzclub
2012-07-13 8:14 ` Florian Crouzat
2012-07-13 13:27 ` Steve Grubb
2012-07-13 13:50 ` Florian Crouzat [this message]
2012-07-13 14:11 ` Valentin Avram
2012-07-13 17:09 ` EXT :Re: " Boyce, Kevin P (AS)
2012-07-16 8:05 ` Florian Crouzat
2012-07-16 13:20 ` Steve Grubb
2012-07-13 14:23 ` Miloslav Trmac
-- strict thread matches above, loose matches on Subject: below --
2013-03-11 19:48 Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47 ` Richard Guy Briggs
2013-03-12 21:09 ` Steve Grubb
2013-03-13 14:55 ` Richard Guy Briggs
2013-03-13 15:59 ` Steve Grubb
2013-03-13 20:24 ` Tracy Reed
2013-03-12 21:09 ` Tracy Reed
2013-03-13 16:26 ` Richard Guy Briggs
2013-03-13 16:43 ` Miloslav Trmac
2013-03-13 16:53 ` Richard Guy Briggs
2013-03-13 17:37 ` Miloslav Trmac
2013-03-14 14:56 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=500027B4.9040104@floriancrouzat.net \
--to=gentoo@floriancrouzat.net \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
--cc=thugzclub@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox