[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: EXT :Re: PCI-DSS: Log every root actions/keystrokes but avoid passwords



On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote:
> Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit :
> > Wouldn't another option be to audit the exec of particular executables you
> > are interested in knowing if someone runs? Obviously you won't know what
> > they are typing into text documents and such, but is that really
> > required?  Most places don't allow key loggers at all and it sounds like
> > that's what you've got.
> Nop that's not required, what is required is to log every
> root-privileged actions, sudo goes in /var/log/secure,

Sudo also goes into the audit log so that you have a high integrity source for 
what it was commanded to do.

> real root shells nowhere. The only solution I found was with pam_audit_tty
> that has the side effect to log every keystroke but I'm open to other
> solutions, creating a list of binary to watch cannot be one.

One possibility is to write a simple event handler that watches for keystroke 
logging and does the filtering before writing to its own log file. Remember the 
audit system has a realtime interface and a parsing library so that dispatcher 
utilities can easily be created.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]