Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, March 13, 2013 10:55:29 AM Richard Guy Briggs wrote:
> On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote:
> > On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
> > > On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> > > > ----- Original Message -----
> > > > 
> > > > > I am resurrecting this old thread from last summer because I ran
> > > > > into
> > > > > the same issue and found the thread in the archives via Google. It
> > > > > would be very nice if everything could be logged except passwords.
> > > > 
> > > > There is work being done.  Sorry, I don't have more specifics as to
> > > > availability, perhaps others do.
> > > 
> > > Hi Tracy,
> > > 
> > > I'm actually working on that right now.  I have a patch I am in the
> > > process of testing.  It implements a new sysctl.
> > 
> > Why would this be done as a sysctl? Everything else in the audit system is
> > configured through the netlink API. I would think that we would want to
> > have it configured by the same pam module that we currently use to enable
> > tty auditing. So, why not make a new netlink command that pam can use?
> 
> The lazy and naive answer is that that was the approach that was
> suggested by two developers much more familiar with this code than me (I
> expect that to balance out with time.)
> 
> Now that you suggest this, I agree that approach makes a lot of sense.
> 
> The more technical answer might be that it is much more expedient to do
> it with a sysctl since it involves fewer compiled entities to implement
> and hence can be rolled out faster with less co-ordination of other
> software projects. 

To me, its more important to not have a proliferation of places that must be 
tweaked for the audit system. Its not a big deal to patch pam to have a new 
argument.


> After the kernel is recompiled (needed in any case)
> it can be implemented with one line added to a file in /etc/sysctl.d/
> while your approach requires adding code to audit and pam, waiting for
> it to be released by their respective teams, then the user adding a
> config option to the pam module invocation.  I agree that would be more
> convenient for end users since it can be an option added in the same
> place as the module is invoked.

The problem that I have had for a long time is that there is no way to query 
the kernel and ask what its audit capabilities are so that meaningful user 
space warnings can be given.


> I haven't seen a lot of requests for this feature yet, but it sounds
> like there could be a lot of interest, so it may be worth doing
> correctly, rather than as a quick fix.
> 
> Am I missing anything?

Nope. Let's make it nice and easy to configure in the same place that its 
already being done. :-)

Thanks,
-Steve