Applies to: Centrify DirectAudit 3.0.x and 3.1.0 on RHEL/Fedora platforms
There are some occasions where the "Export Session with User Inputs" report may show user passwords in the clear.
Consider the following scenario:
- Centrify DirectAudit and Centrify DirectControl is installed on RHEL 5.7 x86_64 and configured.
- The parameter "dash.auditstdin" is set to true in /etc/centrifyda/centrifyda.conf. This allows the capture of keyboard input.
- The command "useradd u111" is executed to add a new local user and password was changed with "password"
- The local user "u111" logs in and runs the "date" command
[u111@rhel57x64v3 ~]$ date
Tue Aug 6 09:53:48 CST 2013
- The example command "sudo adinfo" is run and the password entered.
A new session is generated. <-- This is expected behavior.
- The session generated at Step 5 is exported with user input, and the exported file opened.
The password entered at Step 5 is seen when it should have been replaced with "xxxxxx".
Centrify DirectAudit v3.0 and beyond has the capability to capture all user keyboard input as an option; It will detect if the user enters a password in response to a password prompt, and automatically masks out the password. The password information is not sent to the Collector and is not stored in the AuditStore databases. This prevents the auditor from accessing other users' passwords.
To detect the password prompt, Centrify DA uses a default regular expression. The Administrator should use the dash.auditstdin.except parameter in /etc/centrifyda/centrifyda.conf to define additional regular expressions that may be needed for the environment.
The current default regular expression is:
dash.auditstdin.except: (password[a-zA-Z \t]*:[[:space:]]*$)|(verify[a-zA-Z \t]*:[[:space:]]*$)
This checks for the words "password" or "verify", followed by alphabetic characters, space or tab, and then a colon, and any number of whitespace characters.
This pattern covers the most common use cases.
It was found that the above regular expression does not work when a user with a non-alphabetic user name uses dzdo/sudo and then goes through a password authentication; or in other situations where the password prompt does not match the above regular expression.
The dash.auditstdin.except in /etc/centrifydc/centrifyda.conf parameter can be set with the following line instead:
The workaround regex will be used as the default regular expression in the next release of DirectAudit.
If there are other applications where the password prompt does not match the above regular expression, then can add the additional patterns to the same parameter.