From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords Date: Wed, 13 Mar 2013 12:53:27 -0400 Message-ID: <20130313165327.GG23106@madcap2.tricolour.ca> References: <20130313154358.GF23106@madcap2.tricolour.ca> <1915900671.7033767.1363193038284.JavaMail.root@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1915900671.7033767.1363193038284.JavaMail.root@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Miloslav Trmac Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote: > ----- Original Message ----- > > > Please do post the patch here when you have it worked out as I am > > > very likely > > > to miss it in the flood of kernel patches when it goes to/from > > > Linus. > > > > Here you go. Given Steve's good question, this control method may > > change. > > Isn't "icanon" _true_ when the data is echoed? This patch would allow > dropping the echoed data (i.e. commands), not the non-echoed data > (i.e. passwords). > (I might be mistaken and I haven't tested this.) Apparently not. This is what took me longer than I initially thought necessary to get this working, rechecking my pam incantations along the way. I went back and actually removed my switch and just isolated icanon in the decision to abort the function to confirm how it worked, then inverted the test which is when it started working. Eric was right to start with. > Mirek - RGB -- Richard Guy Briggs Senior Software Engineer AMER ENG Base Operating Systems Remote, Canada, Ottawa Voice: 1.647.777.2635 Internal: (81) 32635