Florian, Did you get and answer for this?
Regards. On 10 Jul 2012, at 08:29, Florian Crouzat <[email protected]> wrote: > Hi, > > This is my first message to the list to please be indulgent, I might be > mixing concepts here between auditd, selinux and pam. Any guidance much > appreciated. > > For PCI-DSS, in order to be allowed to have a real root shell instead of > firing sudo all the time (and it's lack of glob/completion), I'm trying to > have any commands fired in any kind of root shell logged. (Of course it > doesn't protect against malicious root users but that's off-topic). > > So, I've been able to achieve that purpose by using : > > $ grep tty /etc/pam.d/{su*,system-auth} > /etc/pam.d/su:session required pam_tty_audit.so enable=root > /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root > /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root > /etc/pam.d/su-l:session required pam_tty_audit.so enable=root > /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root > > Every keystroke are logged in /var/log/audit/audit.log which is great. My > only issue is that I just realized that prompt passwords are also logged, eg > MySQL password or Spacewalk, etc. > I can read them in plain text when doing "aureport --tty -if > /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, > is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" > (inputting a password) > > I'd like very much to be able to obtain real root shells for ease of work > (sudo -i) my only constraint beeing: log everything but don't store any > password. > > Thanks, > > -- > Cheers, > Florian Crouzat > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
