PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Hi,

This is my first message to the list to please be indulgent, I might be 
mixing concepts here between auditd, selinux and pam. Any guidance much 
appreciated.

For PCI-DSS, in order to be allowed to have a real root shell instead of 
firing sudo all the time (and it's lack of glob/completion), I'm trying 
to have any commands fired in any kind of root shell logged. (Of course 
it doesn't protect against malicious root users but that's off-topic).

So, I've been able to achieve that purpose by using :

$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* 
enable=root

Every keystroke are logged in /var/log/audit/audit.log which is great. 
My only issue is that I just realized that prompt passwords are also 
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if 
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of 
passwords, is there a workaround ? Eg: don't log keystrokes when the 
prompt is "hidden" (inputting a password)

I'd like very much to be able to obtain real root shells for ease of 
work (sudo -i) my only constraint beeing: log everything but don't store 
any password.

Thanks,

-- 
Cheers,
Florian Crouzat