Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote: On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote: On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote: - Original Message - I am resurrecting this old thread from last summer because I ran into the same issue and found the thread in the archives via Google. It would be very nice if everything could be logged except passwords. There is work being done. Sorry, I don't have more specifics as to availability, perhaps others do. Hi Tracy, I'm actually working on that right now. I have a patch I am in the process of testing. It implements a new sysctl. Why would this be done as a sysctl? Everything else in the audit system is configured through the netlink API. I would think that we would want to have it configured by the same pam module that we currently use to enable tty auditing. So, why not make a new netlink command that pam can use? The lazy and naive answer is that that was the approach that was suggested by two developers much more familiar with this code than me (I expect that to balance out with time.) Now that you suggest this, I agree that approach makes a lot of sense. The more technical answer might be that it is much more expedient to do it with a sysctl since it involves fewer compiled entities to implement and hence can be rolled out faster with less co-ordination of other software projects. After the kernel is recompiled (needed in any case) it can be implemented with one line added to a file in /etc/sysctl.d/ while your approach requires adding code to audit and pam, waiting for it to be released by their respective teams, then the user adding a config option to the pam module invocation. I agree that would be more convenient for end users since it can be an option added in the same place as the module is invoked. I haven't seen a lot of requests for this feature yet, but it sounds like there could be a lot of interest, so it may be worth doing correctly, rather than as a quick fix. Am I missing anything? I'm working in the upstream kernel, so it will likely be available in Linus' git tree before anywhere else. Normally audit patches are sent to this mail list for review. If there are no objections then it can be pulled into an upstream tree. I'll post this patch anyways. -Steve After that, likely fedora, then RHEL, but I'm a bit new to that process. I don't see a reason why I couldn't post that patch here when I've got it ironed out. - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wednesday, March 13, 2013 10:55:29 AM Richard Guy Briggs wrote: On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote: On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote: On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote: - Original Message - I am resurrecting this old thread from last summer because I ran into the same issue and found the thread in the archives via Google. It would be very nice if everything could be logged except passwords. There is work being done. Sorry, I don't have more specifics as to availability, perhaps others do. Hi Tracy, I'm actually working on that right now. I have a patch I am in the process of testing. It implements a new sysctl. Why would this be done as a sysctl? Everything else in the audit system is configured through the netlink API. I would think that we would want to have it configured by the same pam module that we currently use to enable tty auditing. So, why not make a new netlink command that pam can use? The lazy and naive answer is that that was the approach that was suggested by two developers much more familiar with this code than me (I expect that to balance out with time.) Now that you suggest this, I agree that approach makes a lot of sense. The more technical answer might be that it is much more expedient to do it with a sysctl since it involves fewer compiled entities to implement and hence can be rolled out faster with less co-ordination of other software projects. To me, its more important to not have a proliferation of places that must be tweaked for the audit system. Its not a big deal to patch pam to have a new argument. After the kernel is recompiled (needed in any case) it can be implemented with one line added to a file in /etc/sysctl.d/ while your approach requires adding code to audit and pam, waiting for it to be released by their respective teams, then the user adding a config option to the pam module invocation. I agree that would be more convenient for end users since it can be an option added in the same place as the module is invoked. The problem that I have had for a long time is that there is no way to query the kernel and ask what its audit capabilities are so that meaningful user space warnings can be given. I haven't seen a lot of requests for this feature yet, but it sounds like there could be a lot of interest, so it may be worth doing correctly, rather than as a quick fix. Am I missing anything? Nope. Let's make it nice and easy to configure in the same place that its already being done. :-) Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
- Original Message - Please do post the patch here when you have it worked out as I am very likely to miss it in the flood of kernel patches when it goes to/from Linus. Here you go. Given Steve's good question, this control method may change. Isn't icanon _true_ when the data is echoed? This patch would allow dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords). (I might be mistaken and I haven't tested this.) Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: - Original Message - Please do post the patch here when you have it worked out as I am very likely to miss it in the flood of kernel patches when it goes to/from Linus. Here you go. Given Steve's good question, this control method may change. Isn't icanon _true_ when the data is echoed? This patch would allow dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords). (I might be mistaken and I haven't tested this.) Apparently not. This is what took me longer than I initially thought necessary to get this working, rechecking my pam incantations along the way. I went back and actually removed my switch and just isolated icanon in the decision to abort the function to confirm how it worked, then inverted the test which is when it started working. Eric was right to start with. Mirek - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
- Original Message - On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: - Original Message - Please do post the patch here when you have it worked out as I am very likely to miss it in the flood of kernel patches when it goes to/from Linus. Here you go. Given Steve's good question, this control method may change. Isn't icanon _true_ when the data is echoed? This patch would allow dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords). (I might be mistaken and I haven't tested this.) Apparently not. This is what took me longer than I initially thought necessary to get this working, rechecking my pam incantations along the way. I went back and actually removed my switch and just isolated icanon in the decision to abort the function to confirm how it worked, then inverted the test which is when it started working. Eric was right to start with. Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated by bash and not relevant. Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works). When asking for passwords, the situation seems to be (ICANON !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely want to audit (ICANON ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well. But that might need a more detailed look. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wed, Mar 13, 2013 at 07:55:29AM PDT, Richard Guy Briggs spake thusly: I haven't seen a lot of requests for this feature yet, but it sounds like there could be a lot of interest, so it may be worth doing correctly, rather than as a quick fix. As people become more security-aware and implement PCI/HIPAA/FISMA and other regulatory regimes (which are why I'm here) they will be asking for more auditing capability, especially in the area of console/tty logging where Linux has historically been weak. Writing out passwords to logfiles is simply not an option. We are currently looking at Xceedium for auditing/logging our bastion hosts but would really prefer to avoid that route if auditd or some other Linux component could handle that for us. -- Tracy Reed pgpfpFenSpcAB.pgp Description: PGP signature -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
- Original Message - I am resurrecting this old thread from last summer because I ran into the same issue and found the thread in the archives via Google. It would be very nice if everything could be logged except passwords. There is work being done. Sorry, I don't have more specifics as to availability, perhaps others do. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote: - Original Message - I am resurrecting this old thread from last summer because I ran into the same issue and found the thread in the archives via Google. It would be very nice if everything could be logged except passwords. There is work being done. Sorry, I don't have more specifics as to availability, perhaps others do. Hi Tracy, I'm actually working on that right now. I have a patch I am in the process of testing. It implements a new sysctl. I'm working in the upstream kernel, so it will likely be available in Linus' git tree before anywhere else. After that, likely fedora, then RHEL, but I'm a bit new to that process. I don't see a reason why I couldn't post that patch here when I've got it ironed out. Mirek - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote: On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote: - Original Message - I am resurrecting this old thread from last summer because I ran into the same issue and found the thread in the archives via Google. It would be very nice if everything could be logged except passwords. There is work being done. Sorry, I don't have more specifics as to availability, perhaps others do. Hi Tracy, I'm actually working on that right now. I have a patch I am in the process of testing. It implements a new sysctl. Why would this be done as a sysctl? Everything else in the audit system is configured through the netlink API. I would think that we would want to have it configured by the same pam module that we currently use to enable tty auditing. So, why not make a new netlink command that pam can use? I'm working in the upstream kernel, so it will likely be available in Linus' git tree before anywhere else. Normally audit patches are sent to this mail list for review. If there are no objections then it can be pulled into an upstream tree. -Steve After that, likely fedora, then RHEL, but I'm a bit new to that process. I don't see a reason why I couldn't post that patch here when I've got it ironed out. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly: I'm actually working on that right now. I have a patch I am in the process of testing. It implements a new sysctl. I'm working in the upstream kernel, so it will likely be available in Linus' git tree before anywhere else. After that, likely fedora, then RHEL, but I'm a bit new to that process. Wow, thanks! Always glad to see good security features/auditing being added to the kernel. Although I'm surprised a new sysctl was necessary and it couldn't all be done in auditd in userspace. I look forward to reading over the code to learn what into this. Please do post the patch here when you have it worked out as I am very likely to miss it in the flood of kernel patches when it goes to/from Linus. Thanks again! -- Tracy Reed -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
I am resurrecting this old thread from last summer because I ran into the same
issue and found the thread in the archives via Google. It would be very nice if
everything could be logged except passwords. Isn't the option for echo back set
in the tty settings? Could the pam module not log characters when the tty is
set for no echo back? Or at least log the fact that something was typed but
not logged. A typical problematic log line looks like:
type=TTY msg=audit(1362711728.667:284493): tty pid=21810 uid=0 auid=500
major=136 minor=1 comm=passwd data=ABCDEF01234569
We can already enable/disable audit based on user with enable= or disable= as
an argument to the pam module. Could we do something similar with the command?
So if comm=passwd could we note that something was typed but not log the
actual chars?
On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
Le 12/07/2012 21:41, Thugzclub a écrit :
Florian,
Did you get and answer for this?
Regards.
Not a single one.
Hmm...I thought I sent an answer. The problem from the kernel's perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.
If anyone has ideas on how to improve this, I think we should.
-Steve
On 10 Jul 2012, at 08:29, Florian Crouzat gentoo floriancrouzat net
wrote:
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My
only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc. I can read them in plain
text when doing aureport --tty -if /var/log/audit/audit.log and PCI-DSS
forbid any kind of storage of passwords, is there a workaround ? Eg:
don't log keystrokes when the prompt is hidden (inputting a password)
I'd like very much to be able to obtain real root shells for ease of work
(sudo -i) my only constraint beeing: log everything but don't store any
password.
Thanks,
--
Cheers,
Florian Crouzat
--
Linux-audit mailing list
Linux-audit redhat com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Tracy Reed
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote: Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit : Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs? Obviously you won't know what they are typing into text documents and such, but is that really required? Most places don't allow key loggers at all and it sounds like that's what you've got. Nop that's not required, what is required is to log every root-privileged actions, sudo goes in /var/log/secure, Sudo also goes into the audit log so that you have a high integrity source for what it was commanded to do. real root shells nowhere. The only solution I found was with pam_audit_tty that has the side effect to log every keystroke but I'm open to other solutions, creating a list of binary to watch cannot be one. One possibility is to write a simple event handler that watches for keystroke logging and does the filtering before writing to its own log file. Remember the audit system has a realtime interface and a parsing library so that dispatcher utilities can easily be created. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Le 12/07/2012 21:41, Thugzclub a écrit :
Florian,
Did you get and answer for this?
Regards.
Not a single one.
Florian.
On 10 Jul 2012, at 08:29, Florian Crouzat gen...@floriancrouzat.net wrote:
Hi,
This is my first message to the list to please be indulgent, I might be mixing
concepts here between auditd, selinux and pam. Any guidance much appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of firing
sudo all the time (and it's lack of glob/completion), I'm trying to have any
commands fired in any kind of root shell logged. (Of course it doesn't protect
against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My only
issue is that I just realized that prompt passwords are also logged, eg MySQL
password or Spacewalk, etc.
I can read them in plain text when doing aureport --tty -if /var/log/audit/audit.log and
PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log
keystrokes when the prompt is hidden (inputting a password)
I'd like very much to be able to obtain real root shells for ease of work (sudo
-i) my only constraint beeing: log everything but don't store any password.
Thanks,
--
Cheers,
Florian Crouzat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Florian,
Did you get and answer for this?
Regards.
On 10 Jul 2012, at 08:29, Florian Crouzat gen...@floriancrouzat.net wrote:
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying to
have any commands fired in any kind of root shell logged. (Of course it
doesn't protect against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My
only issue is that I just realized that prompt passwords are also logged, eg
MySQL password or Spacewalk, etc.
I can read them in plain text when doing aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords,
is there a workaround ? Eg: don't log keystrokes when the prompt is hidden
(inputting a password)
I'd like very much to be able to obtain real root shells for ease of work
(sudo -i) my only constraint beeing: log everything but don't store any
password.
Thanks,
--
Cheers,
Florian Crouzat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
Le 12/07/2012 21:41, Thugzclub a écrit :
Florian,
Did you get and answer for this?
Regards.
Not a single one.
Hmm...I thought I sent an answer. The problem from the kernel's perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.
If anyone has ideas on how to improve this, I think we should.
-Steve
On 10 Jul 2012, at 08:29, Florian Crouzat gen...@floriancrouzat.net
wrote:
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My
only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc. I can read them in plain
text when doing aureport --tty -if /var/log/audit/audit.log and PCI-DSS
forbid any kind of storage of passwords, is there a workaround ? Eg:
don't log keystrokes when the prompt is hidden (inputting a password)
I'd like very much to be able to obtain real root shells for ease of work
(sudo -i) my only constraint beeing: log everything but don't store any
password.
Thanks,
--
Cheers,
Florian Crouzat
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Le 13/07/2012 15:27, Steve Grubb a écrit : Hmm...I thought I sent an answer. The problem from the kernel's perspective is that it has no idea what user space is doing. It can't tell a password from anything else being typed. There is a flag that can be set for the TTY to hide characters. But the issue then becomes that now you have a loophole that a crafty admin could use to hide what he's really doing. If anyone has ideas on how to improve this, I think we should. -Steve Yeah, I was afraid of that... At least, thanks for clarifying. I guess I'll stick with stating: don't fire any real root shell to all my sysadmins in the PCI-DSS scope. (as it's impossible to completely forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there is NOEXEC in sudo but then you can't do anything except reading...) Anyway, I'm getting away of the real matter, avoiding to audit-log passwords keystrokes. -- Cheers, Florian Crouzat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
There is another way we used to pass PCI-DSS. We use an audit rule to log all EXECVE happening on production servers, rsyslog the logs to the remote centralized logs server, then parse the audit logs there using a cron script and rebuild the commands issued on each server by any user id. Hope this helps. On Jul 13, 2012 4:53 PM, Florian Crouzat gen...@floriancrouzat.net wrote: Le 13/07/2012 15:27, Steve Grubb a écrit : Hmm...I thought I sent an answer. The problem from the kernel's perspective is that it has no idea what user space is doing. It can't tell a password from anything else being typed. There is a flag that can be set for the TTY to hide characters. But the issue then becomes that now you have a loophole that a crafty admin could use to hide what he's really doing. If anyone has ideas on how to improve this, I think we should. -Steve Yeah, I was afraid of that... At least, thanks for clarifying. I guess I'll stick with stating: don't fire any real root shell to all my sysadmins in the PCI-DSS scope. (as it's impossible to completely forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there is NOEXEC in sudo but then you can't do anything except reading...) Anyway, I'm getting away of the real matter, avoiding to audit-log passwords keystrokes. -- Cheers, Florian Crouzat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/**mailman/listinfo/linux-audithttps://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Hello, - Original Message - Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc. I can read them in plain text when doing aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is hidden (inputting a password) Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited. That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple. It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future. If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg0.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior. Mirek -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
RE: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs? Obviously you won't know what they are typing into text documents and such, but is that really required? Most places don't allow key loggers at all and it sounds like that's what you've got. -Original Message- From: linux-audit-boun...@redhat.com [mailto:linux-audit-boun...@redhat.com] On Behalf Of Florian Crouzat Sent: Friday, July 13, 2012 9:51 AM To: Steve Grubb Cc: Thugzclub; linux-audit@redhat.com Subject: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Le 13/07/2012 15:27, Steve Grubb a écrit : Hmm...I thought I sent an answer. The problem from the kernel's perspective is that it has no idea what user space is doing. It can't tell a password from anything else being typed. There is a flag that can be set for the TTY to hide characters. But the issue then becomes that now you have a loophole that a crafty admin could use to hide what he's really doing. If anyone has ideas on how to improve this, I think we should. -Steve Yeah, I was afraid of that... At least, thanks for clarifying. I guess I'll stick with stating: don't fire any real root shell to all my sysadmins in the PCI-DSS scope. (as it's impossible to completely forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there is NOEXEC in sudo but then you can't do anything except reading...) Anyway, I'm getting away of the real matter, avoiding to audit-log passwords keystrokes. -- Cheers, Florian Crouzat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
