PCI-DSS: Log every root actions/keystrokes but avoid passwords

[Miloslav Trmac]

Hello,
----- Original Message -----
> Every keystroke are logged in /var/log/audit/audit.log which is great.
> My only issue is that I just realized that prompt passwords are also
> logged, eg MySQL password or Spacewalk, etc.
> I can read them in plain text when doing "aureport --tty -if
> /var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
> passwords, is there a workaround ? Eg: don't log keystrokes when the
> prompt is "hidden" (inputting a password)

Not auditing non-echoed input gives rogue users an ability to bypass auditing by starting an application that disables echo (e.g. to prompt for a password), and causing the application to terminate - the TTY will stay in the non-echoing mode, and future input will not be audited.

That said, for some people it really may be more important not to audit passwords than to audit every possible input, and providing users an option to choose one or the other is technically quite simple.  It's on my long-term to-do list, but I'm afraid I'm not expecting to work on this in the near future.

If anyone else wants to look at it, the original version of the patches https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html does contain code to exclude non-echoed input in canonical mode: just forward-port the code dealing with the ICANON and ECHO flags, and add a sysctl to control the behavior.
    Mirek