From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Crouzat <gentoo@floriancrouzat.net>
Subject: Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes  but avoid
	passwords
Date: Mon, 16 Jul 2012 10:05:48 +0200
Message-ID: <5003CB5C.8090009@floriancrouzat.net>
References: <4FFBD9D6.2080902@floriancrouzat.net>
	<67597D99-9688-497A-9CE8-572B3E25E6FB@gmail.com>
	<4FFFD903.7020103@floriancrouzat.net> <6455125.Mmrnxe7ddi@x2>
	<500027B4.9040104@floriancrouzat.net>
	<5CB21FE316752445AF212D47C8BE561112EA2031@XMBVAG75.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5CB21FE316752445AF212D47C8BE561112EA2031@XMBVAG75.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Le 13/07/2012 19:09, Boyce, Kevin P (AS) a =E9crit :
> Wouldn't another option be to audit the exec of particular executables yo=
u are interested in knowing if someone runs?
> Obviously you won't know what they are typing into text documents and suc=
h, but is that really required?  Most places don't allow key loggers at all=
 and it sounds like that's what you've got.

Nop that's not required, what is required is to log every =

root-privileged actions, sudo goes in /var/log/secure, real root shells =

nowhere. The only solution I found was with pam_audit_tty that has the =

side effect to log every keystroke but I'm open to other solutions, =

creating a list of binary to watch cannot be one.

-- =

Cheers,
Florian Crouzat