PCI-DSS: Log every root actions/keystrokes but avoid passwords
Steve Grubb
sgrubb at redhat.com
Fri Jul 13 13:27:42 UTC 2012
On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
> Le 12/07/2012 21:41, Thugzclub a écrit :
> > Florian,
> >
> > Did you get and answer for this?
> >
> > Regards.
>
> Not a single one.
Hmm...I thought I sent an answer. The problem from the kernel's perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.
If anyone has ideas on how to improve this, I think we should.
-Steve
> > On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo at floriancrouzat.net>
wrote:
> >> Hi,
> >>
> >> This is my first message to the list to please be indulgent, I might be
> >> mixing concepts here between auditd, selinux and pam. Any guidance much
> >> appreciated.
> >>
> >> For PCI-DSS, in order to be allowed to have a real root shell instead of
> >> firing sudo all the time (and it's lack of glob/completion), I'm trying
> >> to have any commands fired in any kind of root shell logged. (Of course
> >> it doesn't protect against malicious root users but that's off-topic).
> >>
> >> So, I've been able to achieve that purpose by using :
> >>
> >> $ grep tty /etc/pam.d/{su*,system-auth}
> >> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
> >> enable=root
> >>
> >> Every keystroke are logged in /var/log/audit/audit.log which is great. My
> >> only issue is that I just realized that prompt passwords are also
> >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
> >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
> >> forbid any kind of storage of passwords, is there a workaround ? Eg:
> >> don't log keystrokes when the prompt is "hidden" (inputting a password)
> >>
> >> I'd like very much to be able to obtain real root shells for ease of work
> >> (sudo -i) my only constraint beeing: log everything but don't store any
> >> password.
> >>
> >> Thanks,
> >>
> >> --
> >> Cheers,
> >> Florian Crouzat
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list