public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Thugzclub <thugzclub@googlemail.com>
Subject: Re: PCI-DSS: Log every root actions/keystrokes  but avoid passwords
Date: Fri, 13 Jul 2012 09:27:42 -0400	[thread overview]
Message-ID: <6455125.Mmrnxe7ddi@x2> (raw)
In-Reply-To: <4FFFD903.7020103@floriancrouzat.net>

On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
> Le 12/07/2012 21:41, Thugzclub a écrit :
> > Florian,
> > 
> > Did you get and answer for this?
> > 
> > Regards.
> 
> Not a single one.

Hmm...I thought I sent an answer. The problem from the kernel's perspective is 
that it has no idea what user space is doing. It can't tell a password from 
anything else being typed. There is a flag that can be set for the TTY to hide 
characters. But the issue then becomes that now you have a loophole that a 
crafty admin could use to hide what he's really doing.

If anyone has ideas on how to improve this, I think we should.

-Steve


> > On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> 
wrote:
> >> Hi,
> >> 
> >> This is my first message to the list to please be indulgent, I might be
> >> mixing concepts here between auditd, selinux and pam. Any guidance much
> >> appreciated.
> >> 
> >> For PCI-DSS, in order to be allowed to have a real root shell instead of
> >> firing sudo all the time (and it's lack of glob/completion), I'm trying
> >> to have any commands fired in any kind of root shell logged. (Of course
> >> it doesn't protect against malicious root users but that's off-topic).
> >> 
> >> So, I've been able to achieve that purpose by using :
> >> 
> >> $ grep tty /etc/pam.d/{su*,system-auth}
> >> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
> >> enable=root
> >> 
> >> Every keystroke are logged in /var/log/audit/audit.log which is great. My
> >> only issue is that I just realized that prompt passwords are also
> >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
> >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
> >> forbid any kind of storage of passwords, is there a workaround ? Eg:
> >> don't log keystrokes when the prompt is "hidden" (inputting a password)
> >> 
> >> I'd like very much to be able to obtain real root shells for ease of work
> >> (sudo -i) my only constraint beeing: log everything but don't store any
> >> password.
> >> 
> >> Thanks,
> >> 
> >> --
> >> Cheers,
> >> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2012-07-13 13:27 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-10  7:29 PCI-DSS: Log every root actions/keystrokes but avoid passwords Florian Crouzat
2012-07-12 19:41 ` Thugzclub
2012-07-13  8:14   ` Florian Crouzat
2012-07-13 13:27     ` Steve Grubb [this message]
2012-07-13 13:50       ` Florian Crouzat
2012-07-13 14:11         ` Valentin Avram
2012-07-13 17:09         ` EXT :Re: " Boyce, Kevin P (AS)
2012-07-16  8:05           ` Florian Crouzat
2012-07-16 13:20             ` Steve Grubb
2012-07-13 14:23 ` Miloslav Trmac
  -- strict thread matches above, loose matches on Subject: below --
2013-03-11 19:48 Tracy Reed
2013-03-12 11:06 ` Miloslav Trmac
2013-03-12 20:47   ` Richard Guy Briggs
2013-03-12 21:09     ` Steve Grubb
2013-03-13 14:55       ` Richard Guy Briggs
2013-03-13 15:59         ` Steve Grubb
2013-03-13 20:24         ` Tracy Reed
2013-03-12 21:09     ` Tracy Reed
2013-03-13 16:26       ` Richard Guy Briggs
2013-03-13 16:43         ` Miloslav Trmac
2013-03-13 16:53           ` Richard Guy Briggs
2013-03-13 17:37             ` Miloslav Trmac
2013-03-14 14:56               ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6455125.Mmrnxe7ddi@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=thugzclub@googlemail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox