Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 02:09:37PM -0700, Tracy Reed wrote:
On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake
thusly:
> I'm actually working on that right now. I have a patch I am in the
> process of testing. It implements a new sysctl. I'm working in
> the upstream kernel, so it will likely be available in Linus' git tree
> before anywhere else. After that, likely fedora, then RHEL, but I'm a
> bit new to that process.
Wow, thanks! Always glad to see good security features/auditing being added to
the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
all be done in auditd in userspace. I look forward to reading over the code to
learn what into this.
The necessary hooks are in the tty driver in the kernel. Control bits
could be managed by audit in userspace, but would still need kernel
intervention.
Please do post the patch here when you have it worked out as I am
very likely
to miss it in the flood of kernel patches when it goes to/from Linus.
Here you go. Given Steve's good question, this control method may
change.
Thanks again!
No worries, glad to be of service.
Tracy Reed
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
Attachments:
- 0001-tty-add-a-sysctl-switch-to-avoid-logging-passwords-w.patch (text/plain — 3.5 KB)