From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thugzclub Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Date: Thu, 12 Jul 2012 20:41:33 +0100 Message-ID: <67597D99-9688-497A-9CE8-572B3E25E6FB@gmail.com> References: <4FFBD9D6.2080902@floriancrouzat.net> Mime-Version: 1.0 (1.0) Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q6CJgikq013760 for ; Thu, 12 Jul 2012 15:42:44 -0400 Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6CJggTY027507 for ; Thu, 12 Jul 2012 15:42:42 -0400 Received: by wibhm6 with SMTP id hm6so2107341wib.9 for ; Thu, 12 Jul 2012 12:42:42 -0700 (PDT) In-Reply-To: <4FFBD9D6.2080902@floriancrouzat.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Florian Crouzat Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Florian, Did you get and answer for this? Regards. On 10 Jul 2012, at 08:29, Florian Crouzat wrote: > Hi, > > This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated. > > For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic). > > So, I've been able to achieve that purpose by using : > > $ grep tty /etc/pam.d/{su*,system-auth} > /etc/pam.d/su:session required pam_tty_audit.so enable=root > /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root > /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root > /etc/pam.d/su-l:session required pam_tty_audit.so enable=root > /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root > > Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc. > I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password) > > I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password. > > Thanks, > > -- > Cheers, > Florian Crouzat > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit