Le 12/07/2012 21:41, Thugzclub a écrit :
Florian,
Did you get and answer for this?
Regards.
Not a single one.
Florian.
On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo(a)floriancrouzat.net> wrote:
> Hi,
>
> This is my first message to the list to please be indulgent, I might be mixing
concepts here between auditd, selinux and pam. Any guidance much appreciated.
>
> For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo
all the time (and it's lack of glob/completion), I'm trying to have any commands
fired in any kind of root shell logged. (Of course it doesn't protect against
malicious root users but that's off-topic).
>
> So, I've been able to achieve that purpose by using :
>
> $ grep tty /etc/pam.d/{su*,system-auth}
> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
>
> Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue
is that I just realized that prompt passwords are also logged, eg MySQL password or
Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a
workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting
a password)
>
> I'd like very much to be able to obtain real root shells for ease of work (sudo
-i) my only constraint beeing: log everything but don't store any password.
>
> Thanks,
>
> --
> Cheers,
> Florian Crouzat