PCI-DSS: Log every root actions/keystrokes but avoid passwords
Richard Guy Briggs
rgb at redhat.com
Thu Mar 14 14:56:28 UTC 2013
On Wed, Mar 13, 2013 at 01:37:53PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > > ----- Original Message -----
> > > > > Please do post the patch here when you have it worked out as I
> > > > > am
> > > > > very likely
> > > > > to miss it in the flood of kernel patches when it goes to/from
> > > > > Linus.
> > > >
> > > > Here you go. Given Steve's good question, this control method
> > > > may
> > > > change.
> > >
> > > Isn't "icanon" _true_ when the data is echoed? This patch would
> > > allow
> > > dropping the echoed data (i.e. commands), not the non-echoed data
> > > (i.e. passwords).
> > > (I might be mistaken and I haven't tested this.)
> >
> > Apparently not. This is what took me longer than I initially thought
> > necessary to get this working, rechecking my pam incantations along the
> > way. I went back and actually removed my switch and just isolated
> > icanon in the decision to abort the function to confirm how it worked,
> > then inverted the test which is when it started working. Eric was right
> > to start with.
>
> Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The
> latter is generated by bash and not relevant.
I was looking at both, but primarily watching AUDIT_TTY for sshd, since
that is the pam rule that I was using for testing.
> Anyway, I was beig stupid - icanon is enabled even when asking for
> passwords (because backspace works). When asking for passwords, the
> situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p)
> names; I have checked agetty(8) and su(1)). We definitely want to
> audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I
> suspect we want them audited as well. But that might need a more
> detailed look.
This reply is a bit stale since I started to write it yesterday...
Ok, so it sounds like I need to add (or substitute) "&& !L_ECHO(tty)" to
that expression.
As a sanity check, can I just verify that to test this, I should only
need to add something like "session required pam_tty_audit.so disable=*
enable=rgb" to /etc/pam.d/sshd and then ssh in to the box as rgb, then
issue a command that requires a password such as ssh or su?
Ok, I just chatted with Mirek... He pointed me at:
https://access.redhat.com/knowledge/solutions/226243
I had set it up for a non-root user to avoid logging the instrumentation
console...
I'll redo these tests...
> Mirek
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
More information about the Linux-audit
mailing list