Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
----- Original Message -----
On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > > Please do post the patch here when you have it worked out as I
> > > am
> > > very likely
> > > to miss it in the flood of kernel patches when it goes to/from
> > > Linus.
> >
> > Here you go. Given Steve's good question, this control method
> > may
> > change.
>
> Isn't "icanon" _true_ when the data is echoed? This patch would
> allow
> dropping the echoed data (i.e. commands), not the non-echoed data
> (i.e. passwords).
> (I might be mistaken and I haven't tested this.)
Apparently not. This is what took me longer than I initially thought
necessary to get this working, rechecking my pam incantations along the
way. I went back and actually removed my switch and just isolated
icanon in the decision to abort the function to confirm how it worked,
then inverted the test which is when it started working. Eric was right
to start with.
Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated
by bash and not relevant.
Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because
backspace works). When asking for passwords, the situation seems to be (ICANON &&
!ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely
want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I
suspect we want them audited as well. But that might need a more detailed look.
Mirek