From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Date: Fri, 13 Jul 2012 09:27:42 -0400 Message-ID: <6455125.Mmrnxe7ddi@x2> References: <4FFBD9D6.2080902@floriancrouzat.net> <67597D99-9688-497A-9CE8-572B3E25E6FB@gmail.com> <4FFFD903.7020103@floriancrouzat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <4FFFD903.7020103@floriancrouzat.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Thugzclub List-Id: linux-audit@redhat.com On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote: > Le 12/07/2012 21:41, Thugzclub a =E9crit : > > Florian, > > = > > Did you get and answer for this? > > = > > Regards. > = > Not a single one. Hmm...I thought I sent an answer. The problem from the kernel's perspective= is = that it has no idea what user space is doing. It can't tell a password from = anything else being typed. There is a flag that can be set for the TTY to h= ide = characters. But the issue then becomes that now you have a loophole that a = crafty admin could use to hide what he's really doing. If anyone has ideas on how to improve this, I think we should. -Steve > > On 10 Jul 2012, at 08:29, Florian Crouzat = wrote: > >> Hi, > >> = > >> This is my first message to the list to please be indulgent, I might be > >> mixing concepts here between auditd, selinux and pam. Any guidance much > >> appreciated. > >> = > >> For PCI-DSS, in order to be allowed to have a real root shell instead = of > >> firing sudo all the time (and it's lack of glob/completion), I'm trying > >> to have any commands fired in any kind of root shell logged. (Of course > >> it doesn't protect against malicious root users but that's off-topic). > >> = > >> So, I've been able to achieve that purpose by using : > >> = > >> $ grep tty /etc/pam.d/{su*,system-auth} > >> /etc/pam.d/su:session required pam_tty_audit.so enable=3Droot > >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=3Dr= oot > >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable= =3Droot > >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=3Droot > >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=3D* > >> enable=3Droot > >> = > >> Every keystroke are logged in /var/log/audit/audit.log which is great.= My > >> only issue is that I just realized that prompt passwords are also > >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain > >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-D= SS > >> forbid any kind of storage of passwords, is there a workaround ? Eg: > >> don't log keystrokes when the prompt is "hidden" (inputting a password) > >> = > >> I'd like very much to be able to obtain real root shells for ease of w= ork > >> (sudo -i) my only constraint beeing: log everything but don't store any > >> password. > >> = > >> Thanks, > >> = > >> -- > >> Cheers, > >> Florian Crouzat > = > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit