PCI-DSS: Log every root actions/keystrokes but avoid passwords
Miloslav Trmac
mitr at redhat.com
Wed Mar 13 17:37:53 UTC 2013
----- Original Message -----
> On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > > > Please do post the patch here when you have it worked out as I
> > > > am
> > > > very likely
> > > > to miss it in the flood of kernel patches when it goes to/from
> > > > Linus.
> > >
> > > Here you go. Given Steve's good question, this control method
> > > may
> > > change.
> >
> > Isn't "icanon" _true_ when the data is echoed? This patch would
> > allow
> > dropping the echoed data (i.e. commands), not the non-echoed data
> > (i.e. passwords).
> > (I might be mistaken and I haven't tested this.)
>
> Apparently not. This is what took me longer than I initially thought
> necessary to get this working, rechecking my pam incantations along the
> way. I went back and actually removed my switch and just isolated
> icanon in the decision to abort the function to confirm how it worked,
> then inverted the test which is when it started working. Eric was right
> to start with.
Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated by bash and not relevant.
Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works). When asking for passwords, the situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well. But that might need a more detailed look.
Mirek
More information about the Linux-audit
mailing list