PCI-DSS: Log every root actions/keystrokes but avoid passwords

Discussion:

Florian Crouzat

2012-07-10 07:29:26 UTC

Hi,

This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.

For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).

So, I've been able to achieve that purpose by using :

$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
enable=root

Every keystroke are logged in /var/log/audit/audit.log which is great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
passwords, is there a workaround ? Eg: don't log keystrokes when the
prompt is "hidden" (inputting a password)

I'd like very much to be able to obtain real root shells for ease of
work (sudo -i) my only constraint beeing: log everything but don't store
any password.

Thanks,

--
Cheers,
Florian Crouzat

Florian Crouzat

2012-07-13 08:14:59 UTC

Permalink

Florian,
Did you get and answer for this?
Regards.

Not a single one.

Florian.

Hi,
This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic).
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password)
I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password.
Thanks,
--
Cheers,
Florian Crouzat

Steve Grubb

2012-07-13 13:27:42 UTC

Permalink

Post by Florian Crouzat

Florian,
Did you get and answer for this?
Regards.

Not a single one.

Hmm...I thought I sent an answer. The problem from the kernel's perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.

If anyone has ideas on how to improve this, I think we should.

-Steve

Post by Florian Crouzat

Post by Florian Crouzat
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My
only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc. I can read them in plain
text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS
don't log keystrokes when the prompt is "hidden" (inputting a password)
I'd like very much to be able to obtain real root shells for ease of work
(sudo -i) my only constraint beeing: log everything but don't store any
password.
Thanks,
--
Cheers,
Florian Crouzat

--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit

Florian Crouzat

2012-07-13 13:50:44 UTC

Permalink

Post by Steve Grubb
Hmm...I thought I sent an answer. The problem from the kernel's perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.
If anyone has ideas on how to improve this, I think we should.
-Steve

Yeah, I was afraid of that...
At least, thanks for clarifying.

I guess I'll stick with stating: don't fire any real root shell to all
my sysadmins in the PCI-DSS scope. (as it's impossible to completely
forbid all possible case , eg: forbid sudo -*, sudo sudo *, sudo su *
but hell, you can't forbid sudo ./foo.sh where foo fires a shell, there
is NOEXEC in sudo but then you can't do anything except reading...)

Anyway, I'm getting away of the real matter, avoiding to audit-log
passwords keystrokes.

--
Cheers,
Florian Crouzat

Valentin Avram

2012-07-13 14:11:33 UTC

Permalink

There is another way we used to pass PCI-DSS.

We use an audit rule to log all EXECVE happening on production servers,
rsyslog the logs to the remote centralized logs server, then parse the
audit logs there using a cron script and rebuild the commands issued on
each server by any user id.

Hope this helps.

Post by Steve Grubb
Hmm...I thought I sent an answer. The problem from the kernel's

Post by Steve Grubb
perspective is
that it has no idea what user space is doing. It can't tell a password from
anything else being typed. There is a flag that can be set for the TTY to hide
characters. But the issue then becomes that now you have a loophole that a
crafty admin could use to hide what he's really doing.
If anyone has ideas on how to improve this, I think we should.
-Steve

Yeah, I was afraid of that...
At least, thanks for clarifying.
I guess I'll stick with stating: don't fire any real root shell to all my
sysadmins in the PCI-DSS scope. (as it's impossible to completely forbid
all possible case , eg: forbid sudo -*, sudo sudo *, sudo su * but hell,
you can't forbid sudo ./foo.sh where foo fires a shell, there is NOEXEC in
sudo but then you can't do anything except reading...)
Anyway, I'm getting away of the real matter, avoiding to audit-log
passwords keystrokes.
--
Cheers,
Florian Crouzat
--
Linux-audit mailing list
https://www.redhat.com/**mailman/listinfo/linux-audit<https://www.redhat.com/mailman/listinfo/linux-audit>

Boyce, Kevin P (AS)

2012-07-13 17:09:15 UTC

Permalink

Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs?
Obviously you won't know what they are typing into text documents and such, but is that really required? Most places don't allow key loggers at all and it sounds like that's what you've got.

-----Original Message-----
From: linux-audit-***@redhat.com [mailto:linux-audit-***@redhat.com] On Behalf Of Florian Crouzat
Sent: Friday, July 13, 2012 9:51 AM
To: Steve Grubb
Cc: Thugzclub; linux-***@redhat.com
Subject: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords

--
Cheers,
Florian Crouzat

Florian Crouzat

2012-07-16 08:05:48 UTC

Permalink

Post by Boyce, Kevin P (AS)
Wouldn't another option be to audit the exec of particular executables you are interested in knowing if someone runs?
Obviously you won't know what they are typing into text documents and such, but is that really required? Most places don't allow key loggers at all and it sounds like that's what you've got.

Nop that's not required, what is required is to log every
root-privileged actions, sudo goes in /var/log/secure, real root shells
nowhere. The only solution I found was with pam_audit_tty that has the
side effect to log every keystroke but I'm open to other solutions,
creating a list of binary to watch cannot be one.

--
Cheers,
Florian Crouzat

Steve Grubb

2012-07-16 13:20:21 UTC

Permalink

Post by Florian Crouzat

Post by Boyce, Kevin P (AS)
Wouldn't another option be to audit the exec of particular executables you
are interested in knowing if someone runs? Obviously you won't know what
they are typing into text documents and such, but is that really
required? Most places don't allow key loggers at all and it sounds like
that's what you've got.

Nop that's not required, what is required is to log every
root-privileged actions, sudo goes in /var/log/secure,

Sudo also goes into the audit log so that you have a high integrity source for
what it was commanded to do.

Post by Florian Crouzat
real root shells nowhere. The only solution I found was with pam_audit_tty
that has the side effect to log every keystroke but I'm open to other
solutions, creating a list of binary to watch cannot be one.

One possibility is to write a simple event handler that watches for keystroke
logging and does the filtering before writing to its own log file. Remember the
audit system has a realtime interface and a parsing library so that dispatcher
utilities can easily be created.

-Steve

Thugzclub

2012-07-12 19:41:33 UTC

Permalink

Florian,

Did you get and answer for this?

Regards.

Hi,
This is my first message to the list to please be indulgent, I might be mixing concepts here between auditd, selinux and pam. Any guidance much appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of firing sudo all the time (and it's lack of glob/completion), I'm trying to have any commands fired in any kind of root shell logged. (Of course it doesn't protect against malicious root users but that's off-topic).
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=* enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great. My only issue is that I just realized that prompt passwords are also logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of passwords, is there a workaround ? Eg: don't log keystrokes when the prompt is "hidden" (inputting a password)
I'd like very much to be able to obtain real root shells for ease of work (sudo -i) my only constraint beeing: log everything but don't store any password.
Thanks,
--
Cheers,
Florian Crouzat
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit

Miloslav Trmac

2012-07-13 14:23:07 UTC

Permalink

Hello,
----- Original Message -----

Post by Florian Crouzat
Every keystroke are logged in /var/log/audit/audit.log which is great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
passwords, is there a workaround ? Eg: don't log keystrokes when the
prompt is "hidden" (inputting a password)

Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited.

That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple. It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future.

If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior.
Mirek