Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

----- Original Message ----- > On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: > > ----- Original Message ----- > > > > Please do post the patch here when you have it worked out as I > > > > am > > > > very likely > > > > to miss it in the flood of kernel patches when it goes to/from > > > > Linus. > > > > > > Here you go. Given Steve's good question, this control method > > > may > > > change. > > > > Isn't "icanon" _true_ when the data is echoed? This patch would > > allow > > dropping the echoed data (i.e. commands), not the non-echoed data > > (i.e. passwords). > > (I might be mistaken and I haven't tested this.) > > Apparently not. This is what took me longer than I initially thought > necessary to get this working, rechecking my pam incantations along the > way. I went back and actually removed my switch and just isolated > icanon in the decision to abort the function to confirm how it worked, > then inverted the test which is when it started working. Eric was right > to start with. Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated by bash and not relevant.

Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works). When asking for passwords, the situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well. But that might need a more detailed look.

Mirek