Hello,
----- Original Message -----
Every keystroke are logged in /var/log/audit/audit.log which is
great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
passwords, is there a workaround ? Eg: don't log keystrokes when the
prompt is "hidden" (inputting a password)
Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting
an application that disables echo (e.g. to prompt for a password), and causing the
application to terminate - the TTY will stay in the non-echoing mode, and future input
will not be audited.
That said, for some people it really may be more important not to audit passwords than to
audit every possible input, and providing users an option to choose one or the other is
technically quite simple. It's on my long-term to-do list, but I'm afraid I'm
not expecting to work on this in the near future.
If anyone else wants to look at it, the original version of the patches
https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html does contain code to
exclude non-echoed input in canonical mode: just forward-port the code dealing with the
ICANON and ECHO flags, and add a sysctl to control the behavior.
Mirek