From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Date: Mon, 16 Jul 2012 09:20:21 -0400 Message-ID: <1605914.SDj8K2JqAG@x2> References: <4FFBD9D6.2080902@floriancrouzat.net> <5CB21FE316752445AF212D47C8BE561112EA2031@XMBVAG75.northgrum.com> <5003CB5C.8090009@floriancrouzat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <5003CB5C.8090009@floriancrouzat.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Florian Crouzat Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote: > Le 13/07/2012 19:09, Boyce, Kevin P (AS) a =E9crit : > > Wouldn't another option be to audit the exec of particular executables = you > > are interested in knowing if someone runs? Obviously you won't know what > > they are typing into text documents and such, but is that really > > required? Most places don't allow key loggers at all and it sounds like > > that's what you've got. > Nop that's not required, what is required is to log every > root-privileged actions, sudo goes in /var/log/secure, Sudo also goes into the audit log so that you have a high integrity source = for = what it was commanded to do. > real root shells nowhere. The only solution I found was with pam_audit_tty > that has the side effect to log every keystroke but I'm open to other > solutions, creating a list of binary to watch cannot be one. One possibility is to write a simple event handler that watches for keystro= ke = logging and does the filtering before writing to its own log file. Remember= the = audit system has a realtime interface and a parsing library so that dispatc= her = utilities can easily be created. -Steve