PCI-DSS: Log every root actions/keystrokes but avoid passwords

PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Hi,

This is my first message to the list to please be indulgent, I might be 
mixing concepts here between auditd, selinux and pam. Any guidance much 
appreciated.

For PCI-DSS, in order to be allowed to have a real root shell instead of 
firing sudo all the time (and it's lack of glob/completion), I'm trying 
to have any commands fired in any kind of root shell logged. (Of course 
it doesn't protect against malicious root users but that's off-topic).

So, I've been able to achieve that purpose by using :

$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* 
enable=root

Every keystroke are logged in /var/log/audit/audit.log which is great. 
My only issue is that I just realized that prompt passwords are also 
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if 
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of 
passwords, is there a workaround ? Eg: don't log keystrokes when the 
prompt is "hidden" (inputting a password)

I'd like very much to be able to obtain real root shells for ease of 
work (sudo -i) my only constraint beeing: log everything but don't store 
any password.

Thanks,

-- 
Cheers,
Florian Crouzat

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Thugzclub]

Florian,

Did you get and answer for this?

Regards.



On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> wrote:

> Hi,
> 
> This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated.
> 
> For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic).
> 
> So, I've been able to achieve that purpose by using :
> 
> $ grep tty /etc/pam.d/{su*,system-auth}
> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
> 
> Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password)
> 
> I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password.
> 
> Thanks,
> 
> -- 
> Cheers,
> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Le 12/07/2012 21:41, Thugzclub a écrit :
> Florian,
>
> Did you get and answer for this?
>
> Regards.
>

Not a single one.

Florian.


>
> On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> wrote:
>
>> Hi,
>>
>> This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated.
>>
>> For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic).
>>
>> So, I've been able to achieve that purpose by using :
>>
>> $ grep tty /etc/pam.d/{su*,system-auth}
>> /etc/pam.d/su:session required pam_tty_audit.so enable=root
>> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
>> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
>> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
>> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
>>
>> Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc.
>> I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password)
>>
>> I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password.
>>
>> Thanks,
>>
>> --
>> Cheers,
>> Florian Crouzat

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb]

On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
> Le 12/07/2012 21:41, Thugzclub a écrit :
> > Florian,
> > 
> > Did you get and answer for this?
> > 
> > Regards.
> 
> Not a single one.

Hmm...I thought I sent an answer. The problem from the kernel's perspective is 
that it has no idea what user space is doing. It can't tell a password from 
anything else being typed. There is a flag that can be set for the TTY to hide 
characters. But the issue then becomes that now you have a loophole that a 
crafty admin could use to hide what he's really doing.

If anyone has ideas on how to improve this, I think we should.

-Steve


> > On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> 
wrote:
> >> Hi,
> >> 
> >> This is my first message to the list to please be indulgent, I might be
> >> mixing concepts here between auditd, selinux and pam. Any guidance much
> >> appreciated.
> >> 
> >> For PCI-DSS, in order to be allowed to have a real root shell instead of
> >> firing sudo all the time (and it's lack of glob/completion), I'm trying
> >> to have any commands fired in any kind of root shell logged. (Of course
> >> it doesn't protect against malicious root users but that's off-topic).
> >> 
> >> So, I've been able to achieve that purpose by using :
> >> 
> >> $ grep tty /etc/pam.d/{su*,system-auth}
> >> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
> >> enable=root
> >> 
> >> Every keystroke are logged in /var/log/audit/audit.log which is great. My
> >> only issue is that I just realized that prompt passwords are also
> >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
> >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
> >> forbid any kind of storage of passwords, is there a workaround ? Eg:
> >> don't log keystrokes when the prompt is "hidden" (inputting a password)
> >> 
> >> I'd like very much to be able to obtain real root shells for ease of work
> >> (sudo -i) my only constraint beeing: log everything but don't store any
> >> password.
> >> 
> >> Thanks,
> >> 
> >> --
> >> Cheers,
> >> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Le 13/07/2012 15:27, Steve Grubb a écrit :

> Hmm...I thought I sent an answer. The problem from the kernel's perspective is
> that it has no idea what user space is doing. It can't tell a password from
> anything else being typed. There is a flag that can be set for the TTY to hide
> characters. But the issue then becomes that now you have a loophole that a
> crafty admin could use to hide what he's really doing.
>
> If anyone has ideas on how to improve this, I think we should.
>
> -Steve

Yeah, I was afraid of that...
At least, thanks for clarifying.

I guess I'll stick with stating: don't fire any real root shell to all 
my sysadmins in the PCI-DSS scope. (as it's impossible to completely 
forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * 
but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there 
is NOEXEC in sudo but then you can't do anything except reading...)

Anyway, I'm getting away of the real matter, avoiding to audit-log 
passwords keystrokes.

-- 
Cheers,
Florian Crouzat

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Valentin Avram]

[-- Attachment #1.1: Type: text/plain, Size: 1692 bytes --]

There is another way we used to pass PCI-DSS.

We use an audit rule to log all EXECVE happening on production servers,
rsyslog the logs to the remote centralized logs server, then parse the
audit logs there using a cron script and rebuild the commands issued on
each server by any user id.

Hope this helps.
On Jul 13, 2012 4:53 PM, "Florian Crouzat" <gentoo@floriancrouzat.net>
wrote:

> Le 13/07/2012 15:27, Steve Grubb a écrit :
>
>  Hmm...I thought I sent an answer. The problem from the kernel's
>> perspective is
>> that it has no idea what user space is doing. It can't tell a password
>> from
>> anything else being typed. There is a flag that can be set for the TTY to
>> hide
>> characters. But the issue then becomes that now you have a loophole that a
>> crafty admin could use to hide what he's really doing.
>>
>> If anyone has ideas on how to improve this, I think we should.
>>
>> -Steve
>>
>
> Yeah, I was afraid of that...
> At least, thanks for clarifying.
>
> I guess I'll stick with stating: don't fire any real root shell to all my
> sysadmins in the PCI-DSS scope. (as it's impossible to completely forbid
> all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * but hell,
> you can't forbid sudo ./foo.sh where foo fires a shell, there is NOEXEC in
> sudo but then you can't do anything except reading...)
>
> Anyway, I'm getting away of the real matter, avoiding to audit-log
> passwords keystrokes.
>
> --
> Cheers,
> Florian Crouzat
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/**mailman/listinfo/linux-audit<https://www.redhat.com/mailman/listinfo/linux-audit>
>

[-- Attachment #1.2: Type: text/html, Size: 2216 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Miloslav Trmac]

Hello,
----- Original Message -----
> Every keystroke are logged in /var/log/audit/audit.log which is great.
> My only issue is that I just realized that prompt passwords are also
> logged, eg MySQL password or Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if
> /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
> passwords, is there a workaround ? Eg: don't log keystrokes when the
> prompt is "hidden" (inputting a password)

Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited.

That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple.  It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future.

If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior.
    Mirek

RE: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Boyce, Kevin P (AS)]

Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs?
Obviously you won't know what they are typing into text documents and such, but is that really required?  Most places don't allow key loggers at all and it sounds like that's what you've got.



-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Florian Crouzat
Sent: Friday, July 13, 2012 9:51 AM
To: Steve Grubb
Cc: Thugzclub; linux-audit@redhat.com
Subject: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

Le 13/07/2012 15:27, Steve Grubb a écrit :

> Hmm...I thought I sent an answer. The problem from the kernel's perspective is
> that it has no idea what user space is doing. It can't tell a password from
> anything else being typed. There is a flag that can be set for the TTY to hide
> characters. But the issue then becomes that now you have a loophole that a
> crafty admin could use to hide what he's really doing.
>
> If anyone has ideas on how to improve this, I think we should.
>
> -Steve

Yeah, I was afraid of that...
At least, thanks for clarifying.

I guess I'll stick with stating: don't fire any real root shell to all 
my sysadmins in the PCI-DSS scope. (as it's impossible to completely 
forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * 
but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there 
is NOEXEC in sudo but then you can't do anything except reading...)

Anyway, I'm getting away of the real matter, avoiding to audit-log 
passwords keystrokes.

-- 
Cheers,
Florian Crouzat



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
> Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs?
> Obviously you won't know what they are typing into text documents and such, but is that really required?  Most places don't allow key loggers at all and it sounds like that's what you've got.

Nop that's not required, what is required is to log every 
root-privileged actions, sudo goes in /var/log/secure, real root shells 
nowhere. The only solution I found was with pam_audit_tty that has the 
side effect to log every keystroke but I'm open to other solutions, 
creating a list of binary to watch cannot be one.

-- 
Cheers,
Florian Crouzat

Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb]

On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote:
> Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
> > Wouldn't another option be to audit the exec of particular executables you
> > are interested in knowing if someone runs? Obviously you won't know what
> > they are typing into text documents and such, but is that really
> > required?  Most places don't allow key loggers at all and it sounds like
> > that's what you've got.
> Nop that's not required, what is required is to log every
> root-privileged actions, sudo goes in /var/log/secure,

Sudo also goes into the audit log so that you have a high integrity source for 
what it was commanded to do.

> real root shells nowhere. The only solution I found was with pam_audit_tty
> that has the side effect to log every keystroke but I'm open to other
> solutions, creating a list of binary to watch cannot be one.

One possibility is to write a simple event handler that watches for keystroke 
logging and does the filtering before writing to its own log file. Remember the 
audit system has a realtime interface and a parsing library so that dispatcher 
utilities can easily be created.

-Steve