PCI-DSS: Log every root actions/keystrokes but avoid passwords
Richard Guy Briggs
rgb at redhat.com
Wed Mar 13 16:53:27 UTC 2013
On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > > Please do post the patch here when you have it worked out as I am
> > > very likely
> > > to miss it in the flood of kernel patches when it goes to/from
> > > Linus.
> >
> > Here you go. Given Steve's good question, this control method may
> > change.
>
> Isn't "icanon" _true_ when the data is echoed? This patch would allow
> dropping the echoed data (i.e. commands), not the non-echoed data
> (i.e. passwords).
> (I might be mistaken and I haven't tested this.)
Apparently not. This is what took me longer than I initially thought
necessary to get this working, rechecking my pam incantations along the
way. I went back and actually removed my switch and just isolated
icanon in the decision to abort the function to confirm how it worked,
then inverted the test which is when it started working. Eric was right
to start with.
> Mirek
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
More information about the Linux-audit
mailing list