From mboxrd@z Thu Jan  1 00:00:00 1970
From: Miloslav Trmac <mitr@redhat.com>
Subject: Re: PCI-DSS: Log every root actions/keystrokes  but avoid passwords
Date: Fri, 13 Jul 2012 10:23:07 -0400 (EDT)
Message-ID: <2465b2e4-ec77-4257-bf5f-fa7401dbc290@zmail15.collab.prod.int.phx2.redhat.com>
References: <4FFBD9D6.2080902@floriancrouzat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx4-phx2.redhat.com (mx02.colomx.prod.int.phx2.redhat.com
	[10.5.7.2])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q6DEN8xb003591
	for <linux-audit@redhat.com>; Fri, 13 Jul 2012 10:23:08 -0400
In-Reply-To: <4FFBD9D6.2080902@floriancrouzat.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Florian Crouzat <gentoo@floriancrouzat.net>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,
----- Original Message -----
> Every keystroke are logged in /var/log/audit/audit.log which is great.
> My only issue is that I just realized that prompt passwords are also
> logged, eg MySQL password or Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if
> /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
> passwords, is there a workaround ? Eg: don't log keystrokes when the
> prompt is "hidden" (inputting a password)

Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited.

That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple.  It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future.

If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior.
    Mirek