PCI-DSS: Log every root actions/keystrokes but avoid passwords

PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Hi,

This is my first message to the list to please be indulgent, I might be 
mixing concepts here between auditd, selinux and pam. Any guidance much 
appreciated.

For PCI-DSS, in order to be allowed to have a real root shell instead of 
firing sudo all the time (and it's lack of glob/completion), I'm trying 
to have any commands fired in any kind of root shell logged. (Of course 
it doesn't protect against malicious root users but that's off-topic).

So, I've been able to achieve that purpose by using :

$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* 
enable=root

Every keystroke are logged in /var/log/audit/audit.log which is great. 
My only issue is that I just realized that prompt passwords are also 
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if 
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of 
passwords, is there a workaround ? Eg: don't log keystrokes when the 
prompt is "hidden" (inputting a password)

I'd like very much to be able to obtain real root shells for ease of 
work (sudo -i) my only constraint beeing: log everything but don't store 
any password.

Thanks,

-- 
Cheers,
Florian Crouzat

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Thugzclub]

Florian,

Did you get and answer for this?

Regards.



On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> wrote:

> Hi,
> 
> This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated.
> 
> For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic).
> 
> So, I've been able to achieve that purpose by using :
> 
> $ grep tty /etc/pam.d/{su*,system-auth}
> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
> 
> Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password)
> 
> I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password.
> 
> Thanks,
> 
> -- 
> Cheers,
> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Le 12/07/2012 21:41, Thugzclub a écrit :
> Florian,
>
> Did you get and answer for this?
>
> Regards.
>

Not a single one.

Florian.


>
> On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> wrote:
>
>> Hi,
>>
>> This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated.
>>
>> For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic).
>>
>> So, I've been able to achieve that purpose by using :
>>
>> $ grep tty /etc/pam.d/{su*,system-auth}
>> /etc/pam.d/su:session required pam_tty_audit.so enable=root
>> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
>> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
>> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
>> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
>>
>> Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc.
>> I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password)
>>
>> I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password.
>>
>> Thanks,
>>
>> --
>> Cheers,
>> Florian Crouzat

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb]

On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
> Le 12/07/2012 21:41, Thugzclub a écrit :
> > Florian,
> > 
> > Did you get and answer for this?
> > 
> > Regards.
> 
> Not a single one.

Hmm...I thought I sent an answer. The problem from the kernel's perspective is 
that it has no idea what user space is doing. It can't tell a password from 
anything else being typed. There is a flag that can be set for the TTY to hide 
characters. But the issue then becomes that now you have a loophole that a 
crafty admin could use to hide what he's really doing.

If anyone has ideas on how to improve this, I think we should.

-Steve


> > On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo@floriancrouzat.net> 
wrote:
> >> Hi,
> >> 
> >> This is my first message to the list to please be indulgent, I might be
> >> mixing concepts here between auditd, selinux and pam. Any guidance much
> >> appreciated.
> >> 
> >> For PCI-DSS, in order to be allowed to have a real root shell instead of
> >> firing sudo all the time (and it's lack of glob/completion), I'm trying
> >> to have any commands fired in any kind of root shell logged. (Of course
> >> it doesn't protect against malicious root users but that's off-topic).
> >> 
> >> So, I've been able to achieve that purpose by using :
> >> 
> >> $ grep tty /etc/pam.d/{su*,system-auth}
> >> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
> >> enable=root
> >> 
> >> Every keystroke are logged in /var/log/audit/audit.log which is great. My
> >> only issue is that I just realized that prompt passwords are also
> >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
> >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
> >> forbid any kind of storage of passwords, is there a workaround ? Eg:
> >> don't log keystrokes when the prompt is "hidden" (inputting a password)
> >> 
> >> I'd like very much to be able to obtain real root shells for ease of work
> >> (sudo -i) my only constraint beeing: log everything but don't store any
> >> password.
> >> 
> >> Thanks,
> >> 
> >> --
> >> Cheers,
> >> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Le 13/07/2012 15:27, Steve Grubb a écrit :

> Hmm...I thought I sent an answer. The problem from the kernel's perspective is
> that it has no idea what user space is doing. It can't tell a password from
> anything else being typed. There is a flag that can be set for the TTY to hide
> characters. But the issue then becomes that now you have a loophole that a
> crafty admin could use to hide what he's really doing.
>
> If anyone has ideas on how to improve this, I think we should.
>
> -Steve

Yeah, I was afraid of that...
At least, thanks for clarifying.

I guess I'll stick with stating: don't fire any real root shell to all 
my sysadmins in the PCI-DSS scope. (as it's impossible to completely 
forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * 
but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there 
is NOEXEC in sudo but then you can't do anything except reading...)

Anyway, I'm getting away of the real matter, avoiding to audit-log 
passwords keystrokes.

-- 
Cheers,
Florian Crouzat

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Valentin Avram]

[-- Attachment #1.1: Type: text/plain, Size: 1692 bytes --]

There is another way we used to pass PCI-DSS.

We use an audit rule to log all EXECVE happening on production servers,
rsyslog the logs to the remote centralized logs server, then parse the
audit logs there using a cron script and rebuild the commands issued on
each server by any user id.

Hope this helps.
On Jul 13, 2012 4:53 PM, "Florian Crouzat" <gentoo@floriancrouzat.net>
wrote:

> Le 13/07/2012 15:27, Steve Grubb a écrit :
>
>  Hmm...I thought I sent an answer. The problem from the kernel's
>> perspective is
>> that it has no idea what user space is doing. It can't tell a password
>> from
>> anything else being typed. There is a flag that can be set for the TTY to
>> hide
>> characters. But the issue then becomes that now you have a loophole that a
>> crafty admin could use to hide what he's really doing.
>>
>> If anyone has ideas on how to improve this, I think we should.
>>
>> -Steve
>>
>
> Yeah, I was afraid of that...
> At least, thanks for clarifying.
>
> I guess I'll stick with stating: don't fire any real root shell to all my
> sysadmins in the PCI-DSS scope. (as it's impossible to completely forbid
> all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * but hell,
> you can't forbid sudo ./foo.sh where foo fires a shell, there is NOEXEC in
> sudo but then you can't do anything except reading...)
>
> Anyway, I'm getting away of the real matter, avoiding to audit-log
> passwords keystrokes.
>
> --
> Cheers,
> Florian Crouzat
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/**mailman/listinfo/linux-audit<https://www.redhat.com/mailman/listinfo/linux-audit>
>

[-- Attachment #1.2: Type: text/html, Size: 2216 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Miloslav Trmac]

Hello,
----- Original Message -----
> Every keystroke are logged in /var/log/audit/audit.log which is great.
> My only issue is that I just realized that prompt passwords are also
> logged, eg MySQL password or Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if
> /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
> passwords, is there a workaround ? Eg: don't log keystrokes when the
> prompt is "hidden" (inputting a password)

Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited.

That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple.  It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future.

If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior.
    Mirek

RE: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Boyce, Kevin P (AS)]

Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs?
Obviously you won't know what they are typing into text documents and such, but is that really required?  Most places don't allow key loggers at all and it sounds like that's what you've got.



-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Florian Crouzat
Sent: Friday, July 13, 2012 9:51 AM
To: Steve Grubb
Cc: Thugzclub; linux-audit@redhat.com
Subject: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

Le 13/07/2012 15:27, Steve Grubb a écrit :

> Hmm...I thought I sent an answer. The problem from the kernel's perspective is
> that it has no idea what user space is doing. It can't tell a password from
> anything else being typed. There is a flag that can be set for the TTY to hide
> characters. But the issue then becomes that now you have a loophole that a
> crafty admin could use to hide what he's really doing.
>
> If anyone has ideas on how to improve this, I think we should.
>
> -Steve

Yeah, I was afraid of that...
At least, thanks for clarifying.

I guess I'll stick with stating: don't fire any real root shell to all 
my sysadmins in the PCI-DSS scope. (as it's impossible to completely 
forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * 
but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there 
is NOEXEC in sudo but then you can't do anything except reading...)

Anyway, I'm getting away of the real matter, avoiding to audit-log 
passwords keystrokes.

-- 
Cheers,
Florian Crouzat



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Florian Crouzat]

Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
> Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs?
> Obviously you won't know what they are typing into text documents and such, but is that really required?  Most places don't allow key loggers at all and it sounds like that's what you've got.

Nop that's not required, what is required is to log every 
root-privileged actions, sudo goes in /var/log/secure, real root shells 
nowhere. The only solution I found was with pam_audit_tty that has the 
side effect to log every keystroke but I'm open to other solutions, 
creating a list of binary to watch cannot be one.

-- 
Cheers,
Florian Crouzat

Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb]

On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote:
> Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
> > Wouldn't another option be to audit the exec of particular executables you
> > are interested in knowing if someone runs? Obviously you won't know what
> > they are typing into text documents and such, but is that really
> > required?  Most places don't allow key loggers at all and it sounds like
> > that's what you've got.
> Nop that's not required, what is required is to log every
> root-privileged actions, sudo goes in /var/log/secure,

Sudo also goes into the audit log so that you have a high integrity source for 
what it was commanded to do.

> real root shells nowhere. The only solution I found was with pam_audit_tty
> that has the side effect to log every keystroke but I'm open to other
> solutions, creating a list of binary to watch cannot be one.

One possibility is to write a simple event handler that watches for keystroke 
logging and does the filtering before writing to its own log file. Remember the 
audit system has a realtime interface and a parsing library so that dispatcher 
utilities can easily be created.

-Steve

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs]

On Wed, Mar 13, 2013 at 01:37:53PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > > ----- Original Message -----
> > > > > Please do post the patch here when you have it worked out as I
> > > > > am
> > > > > very likely
> > > > > to miss it in the flood of kernel patches when it goes to/from
> > > > > Linus.
> > > > 
> > > > Here you go.  Given Steve's good question, this control method
> > > > may
> > > > change.
> > > 
> > > Isn't "icanon" _true_ when the data is echoed?  This patch would
> > > allow
> > > dropping the echoed data (i.e. commands), not the non-echoed data
> > > (i.e. passwords).
> > > (I might be mistaken and I haven't tested this.)
> > 
> > Apparently not.  This is what took me longer than I initially thought
> > necessary to get this working, rechecking my pam incantations along the
> > way.  I went back and actually removed my switch and just isolated
> > icanon in the decision to abort the function to confirm how it worked,
> > then inverted the test which is when it started working.  Eric was right
> > to start with.
> 
> Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well?  The
> latter is generated by bash and not relevant.

I was looking at both, but primarily watching AUDIT_TTY for sshd, since
that is the pam rule that I was using for testing.

> Anyway, I was beig stupid - icanon is enabled even when asking for
> passwords (because backspace works).  When asking for passwords, the
> situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p)
> names; I have checked agetty(8) and su(1)).  We definitely want to
> audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I
> suspect we want them audited as well.  But that might need a more
> detailed look.

This reply is a bit stale since I started to write it yesterday...

Ok, so it sounds like I need to add (or substitute) "&& !L_ECHO(tty)" to
that expression.

As a sanity check, can I just verify that to test this, I should only
need to add something like "session required pam_tty_audit.so disable=*
enable=rgb" to /etc/pam.d/sshd and then ssh in to the box as rgb, then
issue a command that requires a password such as ssh or su?

Ok, I just chatted with Mirek...  He pointed me at:
	https://access.redhat.com/knowledge/solutions/226243

I had set it up for a non-root user to avoid logging the instrumentation
console...

I'll redo these tests...

>     Mirek

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Tracy Reed]

[-- Attachment #1.1: Type: text/plain, Size: 785 bytes --]

On Wed, Mar 13, 2013 at 07:55:29AM PDT, Richard Guy Briggs spake thusly:
> I haven't seen a lot of requests for this feature yet, but it sounds
> like there could be a lot of interest, so it may be worth doing
> correctly, rather than as a quick fix.

As people become more security-aware and implement PCI/HIPAA/FISMA and other
regulatory regimes (which are why I'm here) they will be asking for more
auditing capability, especially in the area of console/tty logging where Linux
has historically been weak. Writing out passwords to logfiles is simply not an
option. We are currently looking at Xceedium for auditing/logging our bastion
hosts but would really prefer to avoid that route if auditd or some other Linux
component could handle that for us.

-- 
Tracy Reed

[-- Attachment #1.2: Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Miloslav Trmac]

----- Original Message -----
> On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > > > Please do post the patch here when you have it worked out as I
> > > > am
> > > > very likely
> > > > to miss it in the flood of kernel patches when it goes to/from
> > > > Linus.
> > > 
> > > Here you go.  Given Steve's good question, this control method
> > > may
> > > change.
> > 
> > Isn't "icanon" _true_ when the data is echoed?  This patch would
> > allow
> > dropping the echoed data (i.e. commands), not the non-echoed data
> > (i.e. passwords).
> > (I might be mistaken and I haven't tested this.)
> 
> Apparently not.  This is what took me longer than I initially thought
> necessary to get this working, rechecking my pam incantations along the
> way.  I went back and actually removed my switch and just isolated
> icanon in the decision to abort the function to confirm how it worked,
> then inverted the test which is when it started working.  Eric was right
> to start with.

Are you looking at AUDIT_TTY only, or at AUDIT_USER_TTY as well?  The latter is generated by bash and not relevant.

Anyway, I was beig stupid - icanon is enabled even when asking for passwords (because backspace works).  When asking for passwords, the situation seems to be (ICANON && !ECHO) (using the tcsetattr(3p) names; I have checked agetty(8) and su(1)).  We definitely want to audit (ICANON && ECHO); I'm not sure about the !ICANON cases - I suspect we want them audited as well.  But that might need a more detailed look.
    Mirek

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs]

On Wed, Mar 13, 2013 at 12:43:58PM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > > Please do post the patch here when you have it worked out as I am
> > > very likely
> > > to miss it in the flood of kernel patches when it goes to/from
> > > Linus.
> > 
> > Here you go.  Given Steve's good question, this control method may
> > change.
> 
> Isn't "icanon" _true_ when the data is echoed?  This patch would allow
> dropping the echoed data (i.e. commands), not the non-echoed data
> (i.e. passwords).
> (I might be mistaken and I haven't tested this.)

Apparently not.  This is what took me longer than I initially thought
necessary to get this working, rechecking my pam incantations along the
way.  I went back and actually removed my switch and just isolated
icanon in the decision to abort the function to confirm how it worked,
then inverted the test which is when it started working.  Eric was right
to start with.

>     Mirek

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Miloslav Trmac]

----- Original Message -----
> > Please do post the patch here when you have it worked out as I am
> > very likely
> > to miss it in the flood of kernel patches when it goes to/from
> > Linus.
> 
> Here you go.  Given Steve's good question, this control method may
> change.

Isn't "icanon" _true_ when the data is echoed?  This patch would allow dropping the echoed data (i.e. commands), not the non-echoed data (i.e. passwords).

(I might be mistaken and I haven't tested this.)
    Mirek

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs]

[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]

On Tue, Mar 12, 2013 at 02:09:37PM -0700, Tracy Reed wrote:
> On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly:
> > I'm actually working on that right now.  I have a patch I am in the
> > process of testing.  It implements a new sysctl.  I'm working in
> > the upstream kernel, so it will likely be available in Linus' git tree
> > before anywhere else.  After that, likely fedora, then RHEL, but I'm a
> > bit new to that process.
> 
> Wow, thanks! Always glad to see good security features/auditing being added to
> the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
> all be done in auditd in userspace. I look forward to reading over the code to
> learn what into this.

The necessary hooks are in the tty driver in the kernel.  Control bits
could be managed by audit in userspace, but would still need kernel
intervention.

> Please do post the patch here when you have it worked out as I am very likely
> to miss it in the flood of kernel patches when it goes to/from Linus.

Here you go.  Given Steve's good question, this control method may
change.

> Thanks again!

No worries, glad to be of service.

> Tracy Reed

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635

[-- Attachment #2: 0001-tty-add-a-sysctl-switch-to-avoid-logging-passwords-w.patch --]
[-- Type: text/plain, Size: 3542 bytes --]

>From 1c67c13117d3e44036a890664f7aec413a392545 Mon Sep 17 00:00:00 2001
From: Richard Guy Briggs <rgb@redhat.com>
Date: Wed, 13 Mar 2013 11:31:59 -0400
Subject: [PATCH] tty: add a sysctl switch to avoid logging passwords with audit
To: linux-audit@redhat.com

Most commands are entered one line at a time and processed as complete lines
in non-canonical mode.  Commands that interactively require a password, enter
canonical mode to do this.  This feature (icanon) can be used to avoid logging
passwords by audit while still logging the rest of the command.

The sysctl is /proc/sys/kernel/tty/audit_log_icanon with a default value of 0
to not log passwords.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 drivers/tty/tty_audit.c |   45 +++++++++++++++++++++++++++++++++++++++++++++
 drivers/tty/tty_io.c    |    2 ++
 include/linux/tty.h     |    4 ++++
 3 files changed, 51 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 6953dc8..689f8d8 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -22,6 +22,49 @@ struct tty_audit_buf {
 	unsigned char *data;	/* Allocated size N_TTY_BUF_SIZE */
 };
 
+int tty_audit_log_icanon = 0;
+static int tty_audit_log_icanon_limit_min;
+static int tty_audit_log_icanon_limit_max = INT_MAX; //1?
+
+static struct ctl_table tty_table[] = {
+	{
+		.procname	= "audit_log_icanon",
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.data		= &tty_audit_log_icanon,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= &tty_audit_log_icanon_limit_min,
+		.extra2		= &tty_audit_log_icanon_limit_max,
+	},
+	{}
+};
+
+static struct ctl_table tty_kern_table[] = {
+	{
+		.procname	= "tty",
+		.mode		= 0555,
+		.child		= tty_table,
+	},
+	{}
+};
+
+static struct ctl_table tty_root_table[] = {
+	{
+		.procname	= "kernel",
+		.mode		= 0555,
+		.child		= tty_kern_table,
+	},
+	{}
+};
+
+void tty_audit_sysctl_register(void)
+{
+	struct ctl_table_header *table;
+
+	table = register_sysctl_table(tty_root_table);
+	// if error, unregister_sysctl_table(table);
+}
+
 static struct tty_audit_buf *tty_audit_buf_alloc(int major, int minor,
 						 unsigned icanon)
 {
@@ -296,6 +339,8 @@ void tty_audit_add_data(struct tty_struct *tty, unsigned char *data,
 	if (unlikely(size == 0))
 		return;
 
+	if (!tty_audit_log_icanon && icanon) return;
+
 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY
 	    && tty->driver->subtype == PTY_TYPE_MASTER)
 		return;
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 05400ac..72ce653 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -3495,6 +3495,8 @@ int __init tty_init(void)
 	else
 		WARN_ON(device_create_file(consdev, &dev_attr_active) < 0);
 
+	tty_audit_sysctl_register();
+
 #ifdef CONFIG_VT
 	vty_init(&console_fops);
 #endif
diff --git a/include/linux/tty.h b/include/linux/tty.h
index c75d886..2710abe 100644
--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -544,6 +544,7 @@ extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);
 extern void tty_audit_push(struct tty_struct *tty);
 extern int tty_audit_push_task(struct task_struct *tsk,
 			       kuid_t loginuid, u32 sessionid);
+extern void tty_audit_sysctl_register(void);
 #else
 static inline void tty_audit_add_data(struct tty_struct *tty,
 		unsigned char *data, size_t size, unsigned icanon)
@@ -566,6 +567,9 @@ static inline int tty_audit_push_task(struct task_struct *tsk,
 {
 	return 0;
 }
+static inline tty_audit_sysctl_register(void)
+{
+}
 #endif
 
 /* tty_ioctl.c */
-- 
1.7.1


[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb]

On Wednesday, March 13, 2013 10:55:29 AM Richard Guy Briggs wrote:
> On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote:
> > On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
> > > On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> > > > ----- Original Message -----
> > > > 
> > > > > I am resurrecting this old thread from last summer because I ran
> > > > > into
> > > > > the same issue and found the thread in the archives via Google. It
> > > > > would be very nice if everything could be logged except passwords.
> > > > 
> > > > There is work being done.  Sorry, I don't have more specifics as to
> > > > availability, perhaps others do.
> > > 
> > > Hi Tracy,
> > > 
> > > I'm actually working on that right now.  I have a patch I am in the
> > > process of testing.  It implements a new sysctl.
> > 
> > Why would this be done as a sysctl? Everything else in the audit system is
> > configured through the netlink API. I would think that we would want to
> > have it configured by the same pam module that we currently use to enable
> > tty auditing. So, why not make a new netlink command that pam can use?
> 
> The lazy and naive answer is that that was the approach that was
> suggested by two developers much more familiar with this code than me (I
> expect that to balance out with time.)
> 
> Now that you suggest this, I agree that approach makes a lot of sense.
> 
> The more technical answer might be that it is much more expedient to do
> it with a sysctl since it involves fewer compiled entities to implement
> and hence can be rolled out faster with less co-ordination of other
> software projects. 

To me, its more important to not have a proliferation of places that must be 
tweaked for the audit system. Its not a big deal to patch pam to have a new 
argument.


> After the kernel is recompiled (needed in any case)
> it can be implemented with one line added to a file in /etc/sysctl.d/
> while your approach requires adding code to audit and pam, waiting for
> it to be released by their respective teams, then the user adding a
> config option to the pam module invocation.  I agree that would be more
> convenient for end users since it can be an option added in the same
> place as the module is invoked.

The problem that I have had for a long time is that there is no way to query 
the kernel and ask what its audit capabilities are so that meaningful user 
space warnings can be given.


> I haven't seen a lot of requests for this feature yet, but it sounds
> like there could be a lot of interest, so it may be worth doing
> correctly, rather than as a quick fix.
> 
> Am I missing anything?

Nope. Let's make it nice and easy to configure in the same place that its 
already being done. :-)

Thanks,
-Steve

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs]

On Tue, Mar 12, 2013 at 05:09:15PM -0400, Steve Grubb wrote:
> On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
> > On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> > > ----- Original Message -----
> > > 
> > > > I am resurrecting this old thread from last summer because I ran into
> > > > the same issue and found the thread in the archives via Google. It
> > > > would be very nice if everything could be logged except passwords.
> > > 
> > > There is work being done.  Sorry, I don't have more specifics as to
> > > availability, perhaps others do.
> > 
> > Hi Tracy,
> > 
> > I'm actually working on that right now.  I have a patch I am in the
> > process of testing.  It implements a new sysctl.
> 
> Why would this be done as a sysctl? Everything else in the audit system is 
> configured through the netlink API. I would think that we would want to have it 
> configured by the same pam module that we currently use to enable tty auditing. 
> So, why not make a new netlink command that pam can use?

The lazy and naive answer is that that was the approach that was
suggested by two developers much more familiar with this code than me (I
expect that to balance out with time.)

Now that you suggest this, I agree that approach makes a lot of sense.

The more technical answer might be that it is much more expedient to do
it with a sysctl since it involves fewer compiled entities to implement
and hence can be rolled out faster with less co-ordination of other
software projects.  After the kernel is recompiled (needed in any case)
it can be implemented with one line added to a file in /etc/sysctl.d/
while your approach requires adding code to audit and pam, waiting for
it to be released by their respective teams, then the user adding a
config option to the pam module invocation.  I agree that would be more
convenient for end users since it can be an option added in the same
place as the module is invoked.

I haven't seen a lot of requests for this feature yet, but it sounds
like there could be a lot of interest, so it may be worth doing
correctly, rather than as a quick fix.

Am I missing anything?

> > I'm working in the upstream kernel, so it will likely be available in Linus'
> > git tree before anywhere else.
> 
> Normally audit patches are sent to this mail list for review. If there are no 
> objections then it can be pulled into an upstream tree.

I'll post this patch anyways.

> -Steve
> 
> > After that, likely fedora, then RHEL, but I'm a bit new to that process.
> > 
> > I don't see a reason why I couldn't post that patch here when I've got
> > it ironed out.

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Tracy Reed]

On Tue, Mar 12, 2013 at 01:47:42PM PDT, Richard Guy Briggs spake thusly:
> I'm actually working on that right now.  I have a patch I am in the
> process of testing.  It implements a new sysctl.  I'm working in
> the upstream kernel, so it will likely be available in Linus' git tree
> before anywhere else.  After that, likely fedora, then RHEL, but I'm a
> bit new to that process.

Wow, thanks! Always glad to see good security features/auditing being added to
the kernel. Although I'm surprised a new sysctl was necessary and it couldn't
all be done in auditd in userspace. I look forward to reading over the code to
learn what into this.

Please do post the patch here when you have it worked out as I am very likely
to miss it in the flood of kernel patches when it goes to/from Linus.

Thanks again!

-- 
Tracy Reed

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Steve Grubb]

On Tuesday, March 12, 2013 04:47:42 PM Richard Guy Briggs wrote:
> On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> > ----- Original Message -----
> > 
> > > I am resurrecting this old thread from last summer because I ran into
> > > the same issue and found the thread in the archives via Google. It
> > > would be very nice if everything could be logged except passwords.
> > 
> > There is work being done.  Sorry, I don't have more specifics as to
> > availability, perhaps others do.
> 
> Hi Tracy,
> 
> I'm actually working on that right now.  I have a patch I am in the
> process of testing.  It implements a new sysctl.

Why would this be done as a sysctl? Everything else in the audit system is 
configured through the netlink API. I would think that we would want to have it 
configured by the same pam module that we currently use to enable tty auditing. 
So, why not make a new netlink command that pam can use?


> I'm working in the upstream kernel, so it will likely be available in Linus'
> git tree before anywhere else.

Normally audit patches are sent to this mail list for review. If there are no 
objections then it can be pulled into an upstream tree.

-Steve

> After that, likely fedora, then RHEL, but I'm a bit new to that process.
> 
> I don't see a reason why I couldn't post that patch here when I've got
> it ironed out.

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Richard Guy Briggs]

On Tue, Mar 12, 2013 at 07:06:59AM -0400, Miloslav Trmac wrote:
> ----- Original Message -----
> > I am resurrecting this old thread from last summer because I ran into the same
> > issue and found the thread in the archives via Google. It would be very nice if
> > everything could be logged except passwords.
> 
> There is work being done.  Sorry, I don't have more specifics as to
> availability, perhaps others do.

Hi Tracy,

I'm actually working on that right now.  I have a patch I am in the
process of testing.  It implements a new sysctl.  I'm working in
the upstream kernel, so it will likely be available in Linus' git tree
before anywhere else.  After that, likely fedora, then RHEL, but I'm a
bit new to that process.

I don't see a reason why I couldn't post that patch here when I've got
it ironed out.

>     Mirek

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
AMER ENG Base Operating Systems
Remote, Canada, Ottawa
Voice: 1.647.777.2635
Internal: (81) 32635

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Miloslav Trmac]

----- Original Message -----
> I am resurrecting this old thread from last summer because I ran into the same
> issue and found the thread in the archives via Google. It would be very nice if
> everything could be logged except passwords.

There is work being done.  Sorry, I don't have more specifics as to availability, perhaps others do.
    Mirek

Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Tracy Reed]

I am resurrecting this old thread from last summer because I ran into the same
issue and found the thread in the archives via Google. It would be very nice if
everything could be logged except passwords. Isn't the option for echo back set
in the tty settings? Could the pam module not log characters when the tty is
set for no echo back?  Or at least log the fact that something was typed but
not logged. A typical problematic log line looks like:

type=TTY msg=audit(1362711728.667:284493): tty pid=21810 uid=0 auid=500 major=136 minor=1 comm="passwd" data=ABCDEF01234569

We can already enable/disable audit based on user with enable= or disable= as
an argument to the pam module. Could we do something similar with the command?
So if comm="passwd" could we note that something was typed but not log the
actual chars?

On Friday, July 13, 2012 10:14:59 AM Florian Crouzat wrote:
> Le 12/07/2012 21:41, Thugzclub a écrit :
> > Florian,
> > 
> > Did you get and answer for this?
> > 
> > Regards.
> 
> Not a single one.

Hmm...I thought I sent an answer. The problem from the kernel's perspective is 
that it has no idea what user space is doing. It can't tell a password from 
anything else being typed. There is a flag that can be set for the TTY to hide 
characters. But the issue then becomes that now you have a loophole that a 
crafty admin could use to hide what he's really doing.

If anyone has ideas on how to improve this, I think we should.

-Steve


> > On 10 Jul 2012, at 08:29, Florian Crouzat <gentoo floriancrouzat net> 
wrote:
> >> Hi,
> >> 
> >> This is my first message to the list to please be indulgent, I might be
> >> mixing concepts here between auditd, selinux and pam. Any guidance much
> >> appreciated.
> >> 
> >> For PCI-DSS, in order to be allowed to have a real root shell instead of
> >> firing sudo all the time (and it's lack of glob/completion), I'm trying
> >> to have any commands fired in any kind of root shell logged. (Of course
> >> it doesn't protect against malicious root users but that's off-topic).
> >> 
> >> So, I've been able to achieve that purpose by using :
> >> 
> >> $ grep tty /etc/pam.d/{su*,system-auth}
> >> /etc/pam.d/su:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
> >> /etc/pam.d/su-l:session required pam_tty_audit.so enable=root
> >> /etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
> >> enable=root
> >> 
> >> Every keystroke are logged in /var/log/audit/audit.log which is great. My
> >> only issue is that I just realized that prompt passwords are also
> >> logged, eg MySQL password or Spacewalk, etc. I can read them in plain
> >> text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
> >> forbid any kind of storage of passwords, is there a workaround ? Eg:
> >> don't log keystrokes when the prompt is "hidden" (inputting a password)
> >> 
> >> I'd like very much to be able to obtain real root shells for ease of work
> >> (sudo -i) my only constraint beeing: log everything but don't store any
> >> password.
> >> 
> >> Thanks,
> >> 
> >> --
> >> Cheers,
> >> Florian Crouzat
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
Tracy Reed