raczylo.com blog ~ #

Dealing with PCI compliance - sudo commands log

Created on 2014-09-11 in categories ops , tutorial , howto
Tagged as: pci compliance , logging

One of PCI compliance requirements is loggin all sudo input. There's how you can deal with it.

If you ever had a pleasure to deal with PCI compliance, and your infrastructure isn’t based on Microsoft Windows crapware - good luck.

You can be absolutely sure that sooner or later they will ask you for ‘logging root commands execution’. It would be nice if your users ( specially developers ) would use ‘root’ account to ssh, but from different point of view - that’s nothing more than taking a piss on whole infrastructure security, and that’s why you’re stuck with sudo which unfortunately doesn’t provide any logging facility for users executing sudo su. But wait - PCI compliance guy wants you to log all the sessions and input from users, even when they will sudo themselves? No worries, we still have rootsh ( available here ).

Download rootsh package

Simply follow this link

Unpack and install it

tar -zxf rootsh-1.5.3.tar.gz
cd rootsh-1.5.3
./configure
make && make install

If you’re having a really bad time with make, giving you:

/usr/include/x86_64-linux-gnu/bits/fcntl2.h:51:24: error: call to ‘__open_missing_mode’ 
declared with attribute error: open with O_CREAT in second argument needs 3 arguments

Use your favourite text editor ( VIM FTW! )

vim src/rootsh.c +682

And replace

if ((logFile = open(logFileName, O_RDWR|O_CREAT|O_SYNC|O_CREAT|O_APPEND|S_IRUSR|S_IWUSR)) == -1) {
# WITH
if ((logFile = open(logFileName, O_RDWR|O_CREAT|O_SYNC|O_CREAT|O_APPEND|S_IRUSR|S_IWUSR,0664)) == -1) {

Yes, that’s just a proper chmod case. Add last line to /etc/sudoers file

trusted_user ALL = /bin/rootsh

Another tip: ‘System Level Objects’ are nothing more than ‘fucking-important-files’ - for example kernel, shells, /etc/passwd|shadow - but Microsoft-guys just love giving fancy names to simple things. They can’t explain them later of course.

* Table of contents *

* Check other posts *

* Categories *

aws(1) cloud(2) dev(2) gems(1) howto(3) mac(1) ops(7) projects(2) script(1) tools(1) tutorial(4)

* Tags *

api(1) apple(2) aws(3) bash(1) cloud(4) cluster(1) ec2(1) elasticsearch(1) gem(1) github(1) google-authenticator(1) google-cloud(1) iptables(1) linux(2) logging(1) mac(2) opensource(1) openvpn(1) osx(2) pci-compliance(1) ruby(2) security(2) ssh(1) ubuntu(1) wykop(1) yubikey(1)
comments powered by Disqus