2:48 p.m.
I am resurrecting this old thread from last summer because I ran into the same
issue and found the thread in the archives via Google. It would be very nice if
everything could be logged except passwords. Isn't the option for echo back set
in the tty settings? Could the pam module not log characters when the tty is
set for no echo back? Or at least log the fact that something was typed but
not logged. A typical problematic log line looks like:
type=TTY msg=audit(1362711728.667:284493): tty pid=21810 uid=0 auid=500 major=136 minor=1
comm="passwd" data=ABCDEF01234569
We can already enable/disable audit based on user with enable= or disable= as
an argument to the pam module. Could we do something similar with the command?
So if comm="passwd" could we note that something was typed but not log the
actual chars?
On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
Le 12/07/2012 21:41, Thugzclub a écrit :
> Florian,
>
> Did you get and answer for this?
>
> Regards.
Not a single one.
Hmm...I thought I sent an answer. The problem from the kernel's perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.
If anyone has ideas on how to improve this, I think we should.
-Steve
> On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo
floriancrouzat net>
wrote:
>> Hi,
>>
>> This is my first message to the list to please be indulgent, I might be
>> mixing concepts here between auditd, selinux and pam. Any guidance much
>> appreciated.
>>
>> For PCI-DSS, in order to be allowed to have a real root shell instead of
>> firing sudo all the time (and it's lack of glob/completion), I'm trying
>> to have any commands fired in any kind of root shell logged. (Of course
>> it doesn't protect against malicious root users but that's off-topic).
>>
>> So, I've been able to achieve that purpose by using :
>>
>> $ grep tty /etc/pam.d/{su*,system-auth}
>> /etc/pam.d/su:session required pam_tty_audit.so enable=root
>> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
>> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
>> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
>> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
>> enable=root
>>
>> Every keystroke are logged in /var/log/audit/audit.log which is great. My
>> only issue is that I just realized that prompt passwords are also
>> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
>> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
>> forbid any kind of storage of passwords, is there a workaround ? Eg:
>> don't log keystrokes when the prompt is "hidden" (inputting a
password)
>>
>> I'd like very much to be able to obtain real root shells for ease of work
>> (sudo -i) my only constraint beeing: log everything but don't store any
>> password.
>>
>> Thanks,
>>
>> --
>> Cheers,
>> Florian Crouzat
--
Linux-audit mailing list
Linux-audit redhat com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Tracy Reed
6:06 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
----- Original Message -----
I am resurrecting this old thread from last summer because I ran into
the same
issue and found the thread in the archives via Google. It would be very nice if
everything could be logged except passwords.
There is work being done. Sorry, I don't have more specifics as to availability,
perhaps others do.
Mirek
3:47 p.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
----- Original Message -----
> I am resurrecting this old thread from last summer because I ran into the same
> issue and found the thread in the archives via Google. It would be very nice if
> everything could be logged except passwords.
There is work being done. Sorry, I don't have more specifics as to
availability, perhaps others do.
Hi Tracy,
I'm actually working on that right now. I have a patch I am in the
process of testing. It implements a new sysctl. I'm working in
the upstream kernel, so it will likely be available in Linus' git tree
before anywhere else. After that, likely fedora, then RHEL, but I'm a
bit new to that process.
I don't see a reason why I couldn't post that patch here when I've got
it ironed out.
Mirek
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
4:09 p.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
>
> > I am resurrecting this old thread from last summer because I ran into
> > the same issue and found the thread in the archives via Google. It
> > would be very nice if everything could be logged except passwords.
>
> There is work being done. Sorry, I don't have more specifics as to
> availability, perhaps others do.
Hi Tracy,
I'm actually working on that right now. I have a patch I am in the
process of testing. It implements a new sysctl.
Why would this be done as a sysctl? Everything else in the audit system is
configured through the netlink API. I would think that we would want to have it
configured by the same pam module that we currently use to enable tty auditing.
So, why not make a new netlink command that pam can use?
I'm working in the upstream kernel, so it will likely be
available in Linus'
git tree before anywhere else.
Normally audit patches are sent to this mail list for review. If there are no
objections then it can be pulled into an upstream tree.
-Steve
After that, likely fedora, then RHEL, but I'm a bit new to that
process.
I don't see a reason why I couldn't post that patch here when I've got
it ironed out.
9:55 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote:
On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
> On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> >
> > > I am resurrecting this old thread from last summer because I ran into
> > > the same issue and found the thread in the archives via Google. It
> > > would be very nice if everything could be logged except passwords.
> >
> > There is work being done. Sorry, I don't have more specifics as to
> > availability, perhaps others do.
>
> Hi Tracy,
>
> I'm actually working on that right now. I have a patch I am in the
> process of testing. It implements a new sysctl.
Why would this be done as a sysctl? Everything else in the audit system is
configured through the netlink API. I would think that we would want to have it
configured by the same pam module that we currently use to enable tty auditing.
So, why not make a new netlink command that pam can use?
The lazy and naive answer is that that was the approach that was
suggested by two developers much more familiar with this code than me (I
expect that to balance out with time.)
Now that you suggest this, I agree that approach makes a lot of sense.
The more technical answer might be that it is much more expedient to do
it with a sysctl since it involves fewer compiled entities to implement
and hence can be rolled out faster with less co-ordination of other
software projects. After the kernel is recompiled (needed in any case)
it can be implemented with one line added to a file in /etc/sysctl.d/
while your approach requires adding code to audit and pam, waiting for
it to be released by their respective teams, then the user adding a
config option to the pam module invocation. I agree that would be more
convenient for end users since it can be an option added in the same
place as the module is invoked.
I haven't seen a lot of requests for this feature yet, but it sounds
like there could be a lot of interest, so it may be worth doing
correctly, rather than as a quick fix.
Am I missing anything?
> I'm working in the upstream kernel, so it will likely be
available in Linus'
> git tree before anywhere else.
Normally audit patches are sent to this mail list for review. If there are no
objections then it can be pulled into an upstream tree.
I'll post this patch anyways.
-Steve
> After that, likely fedora, then RHEL, but I'm a bit new to that process.
>
> I don't see a reason why I couldn't post that patch here when I've got
> it ironed out.
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
10:59 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wednesday, March 13, 2013 10:55:29 AM Richard Guy Briggs wrote:
On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote:
> On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
> > On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> > > ----- Original Message -----
> > >
> > > > I am resurrecting this old thread from last summer because I ran
> > > > into
> > > > the same issue and found the thread in the archives via Google. It
> > > > would be very nice if everything could be logged except passwords.
> > >
> > > There is work being done. Sorry, I don't have more specifics as to
> > > availability, perhaps others do.
> >
> > Hi Tracy,
> >
> > I'm actually working on that right now. I have a patch I am in the
> > process of testing. It implements a new sysctl.
>
> Why would this be done as a sysctl? Everything else in the audit system is
> configured through the netlink API. I would think that we would want to
> have it configured by the same pam module that we currently use to enable
> tty auditing. So, why not make a new netlink command that pam can use?
The lazy and naive answer is that that was the approach that was
suggested by two developers much more familiar with this code than me (I
expect that to balance out with time.)
Now that you suggest this, I agree that approach makes a lot of sense.
The more technical answer might be that it is much more expedient to do
it with a sysctl since it involves fewer compiled entities to implement
and hence can be rolled out faster with less co-ordination of other
software projects.
To me, its more important to not have a proliferation of places that must be
tweaked for the audit system. Its not a big deal to patch pam to have a new
argument.
After the kernel is recompiled (needed in any case)
it can be implemented with one line added to a file in /etc/sysctl.d/
while your approach requires adding code to audit and pam, waiting for
it to be released by their respective teams, then the user adding a
config option to the pam module invocation. I agree that would be more
convenient for end users since it can be an option added in the same
place as the module is invoked.
The problem that I have had for a long time is that there is no way to query
the kernel and ask what its audit capabilities are so that meaningful user
space warnings can be given.
I haven't seen a lot of requests for this feature yet, but it
sounds
like there could be a lot of interest, so it may be worth doing
correctly, rather than as a quick fix.
Am I missing anything?
Nope. Let's make it nice and easy to configure in the same place that its
already being done. :-)
Thanks,
-Steve
3:24 p.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wed, Mar 13, 2013 at 07:55:29AM PDT, Richard Guy Briggs spake thusly:
I haven't seen a lot of requests for this feature yet, but it
sounds
like there could be a lot of interest, so it may be worth doing
correctly, rather than as a quick fix.
As people become more security-aware and implement PCI/HIPAA/FISMA and other
regulatory regimes (which are why I'm here) they will be asking for more
auditing capability, especially in the area of console/tty logging where Linux
has historically been weak. Writing out passwords to logfiles is simply not an
option. We are currently looking at Xceedium for auditing/logging our bastion
hosts but would really prefer to avoid that route if auditd or some other Linux
component could handle that for us.
--
Tracy Reed
4:09 p.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly:
I'm actually working on that right now. I have a patch I am in
the
process of testing. It implements a new sysctl. I'm working in
the upstream kernel, so it will likely be available in Linus' git tree
before anywhere else. After that, likely fedora, then RHEL, but I'm a
bit new to that process.
Wow, thanks! Always glad to see good security features/auditing being added to
the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
all be done in auditd in userspace. I look forward to reading over the code to
learn what into this.
Please do post the patch here when you have it worked out as I am very likely
to miss it in the flood of kernel patches when it goes to/from Linus.
Thanks again!
--
Tracy Reed
11:26 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Tue, Mar 12, 2013 at 02:09:37PM -0700, Tracy Reed wrote:
On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake
thusly:
> I'm actually working on that right now. I have a patch I am in the
> process of testing. It implements a new sysctl. I'm working in
> the upstream kernel, so it will likely be available in Linus' git tree
> before anywhere else. After that, likely fedora, then RHEL, but I'm a
> bit new to that process.
Wow, thanks! Always glad to see good security features/auditing being added to
the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
all be done in auditd in userspace. I look forward to reading over the code to
learn what into this.
The necessary hooks are in the tty driver in the kernel. Control bits
could be managed by audit in userspace, but would still need kernel
intervention.
Please do post the patch here when you have it worked out as I am
very likely
to miss it in the flood of kernel patches when it goes to/from Linus.
Here you go. Given Steve's good question, this control method may
change.
Thanks again!
No worries, glad to be of service.
Tracy Reed
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
11:43 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
----- Original Message -----
> Please do post the patch here when you have it worked out as I
am
> very likely
> to miss it in the flood of kernel patches when it goes to/from
> Linus.
Here you go. Given Steve's good question, this control method may
change.
Isn't "icanon" _true_ when the data is echoed? This patch would allow
dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords).
(I might be mistaken and I haven't tested this.)
Mirek
11:53 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
----- Original Message -----
> > Please do post the patch here when you have it worked out as I am
> > very likely
> > to miss it in the flood of kernel patches when it goes to/from
> > Linus.
>
> Here you go. Given Steve's good question, this control method may
> change.
Isn't "icanon" _true_ when the data is echoed? This patch would allow
dropping the echoed data (i.e. commands), not the non-echoed data
(i.e. passwords).
(I might be mistaken and I haven't tested this.)
Apparently not. This is what took me longer than I initially thought
necessary to get this working, rechecking my pam incantations along the
way. I went back and actually removed my switch and just isolated
icanon in the decision to abort the function to confirm how it worked,
then inverted the test which is when it started working. Eric was right
to start with.
Mirek
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
12:37 p.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
----- Original Message -----
On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > > Please do post the patch here when you have it worked out as I
> > > am
> > > very likely
> > > to miss it in the flood of kernel patches when it goes to/from
> > > Linus.
> >
> > Here you go. Given Steve's good question, this control method
> > may
> > change.
>
> Isn't "icanon" _true_ when the data is echoed? This patch would
> allow
> dropping the echoed data (i.e. commands), not the non-echoed data
> (i.e. passwords).
> (I might be mistaken and I haven't tested this.)
Apparently not. This is what took me longer than I initially thought
necessary to get this working, rechecking my pam incantations along the
way. I went back and actually removed my switch and just isolated
icanon in the decision to abort the function to confirm how it worked,
then inverted the test which is when it started working. Eric was right
to start with.
Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The latter is generated
by bash and not relevant.
Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because
backspace works). When asking for passwords, the situation seems to be (ICANON &&
!ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)). We definitely
want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I
suspect we want them audited as well. But that might need a more detailed look.
Mirek
9:56 a.m.
New subject: PCI-DSS: Log every root actions/keystrokes but avoid passwords
On Wed, Mar 13, 2013 at 01:37:53PM -0400, Miloslav Trmac wrote:
----- Original Message -----
> On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > > > Please do post the patch here when you have it worked out as I
> > > > am
> > > > very likely
> > > > to miss it in the flood of kernel patches when it goes to/from
> > > > Linus.
> > >
> > > Here you go. Given Steve's good question, this control method
> > > may
> > > change.
> >
> > Isn't "icanon" _true_ when the data is echoed? This patch would
> > allow
> > dropping the echoed data (i.e. commands), not the non-echoed data
> > (i.e. passwords).
> > (I might be mistaken and I haven't tested this.)
>
> Apparently not. This is what took me longer than I initially thought
> necessary to get this working, rechecking my pam incantations along the
> way. I went back and actually removed my switch and just isolated
> icanon in the decision to abort the function to confirm how it worked,
> then inverted the test which is when it started working. Eric was right
> to start with.
Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well? The
latter is generated by bash and not relevant.
I was looking at both, but primarily watching AUDIT_TTY for sshd, since
that is the pam rule that I was using for testing.
Anyway, I was beig stupid - icanon is enabled even when asking for
passwords (because backspace works). When asking for passwords, the
situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p)
names; I have checked agetty(8) and su(1)). We definitely want to
audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I
suspect we want them audited as well. But that might need a more
detailed look.
This reply is a bit stale since I started to write it yesterday...
Ok, so it sounds like I need to add (or substitute) "&& !L_ECHO(tty)"
to
that expression.
As a sanity check, can I just verify that to test this, I should only
need to add something like "session required pam_tty_audit.so disable=*
enable=rgb" to /etc/pam.d/sshd and then ssh in to the box as rgb, then
issue a command that requires a password such as ssh or su?
Ok, I just chatted with Mirek... He pointed me at:
https://access.redhat.com/knowledge/solutions/226243
I had set it up for a non-root user to avoid logging the instrumentation
console...
I'll redo these tests...
Mirek
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635
4300
days inactive
4303
days old
linux-audit@lists.linux-audit.osci.io
12 comments
4 participants
participants (4)
-
Miloslav Trmac -
Richard Guy Briggs -
Steve Grubb -
Tracy Reed