Date: Fri, 05 Apr 2002 13:03:39 +1000 From: Rob B <rbyrnes@ozemail.com.au> To: "Galella, Anthony" <anthony.galella@intel.com> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: RE: verbose logging of root? Message-ID: <5.1.0.14.2.20020405123145.01c10620@pop.ozemail.com.au> In-Reply-To: <59F55CE047A6D51196360002A534A4AC3703E7@pysmsx102.py.intel. com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:11 4/04/2002 -0500, Galella, Anthony sent this up the stick: >Unfortunately sudo won't help in this situation. >There is a "backup" sysadmin here that has root access in case I am not >available. If he needs root permissions, you assign them to his _own_ userid >He is learning, but I want to be able to track everything he does as root in >order to know exactly what is happening on the system. >Case in point: he chown'd and chmod'd a whole directory structure, causing >loss of access for users. I found the problem, and fixed it, but if I could >track what he did in the logs, I could be aware of these things before users >are (hopefully):) I suppose the only thing that I can see where sudo would not be of use is on a unix desktop machine that has lost sight of the network, and there was local root access needed. Cheers, Rob >-----Original Message----- >From: Rob B [mailto:rbyrnes@ozemail.com.au] >Sent: Wednesday, April 03, 2002 8:51 PM >To: Galella, Anthony >Cc: 'freebsd-questions@freebsd.org' >Subject: Re: verbose logging of root? > > >At 03:06 4/04/2002, Galella, Anthony sent this up the stick: > >This is more of a Un*x question rather than FBSD specific. > > > >Is it possible to do extremely verbose logging of all everything done by > >root for security purposes? > > > > > >We ssh to the server and I can make ssh do verbose logging, but that logs > >every user, I just need to log from the point someone su's to root. > >This is not a *direct* answer to your question, but an alternative >suggestion. > >Rather than letting users su to root, why not use a tool such as sudo >(/usr/ports/admin/sudo)? sudo will log every command, and has an extensive >permissions system in it's conf file. sudo also prevents every user who >needs root permissions from knowing the root password, they simply use >their own password. sudo also logs any unauthorised usage. > >Cheers, >Rob > > >-- >Hey, go buy a plane ticket to another state of mind, okay? > >[15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian >This is random quote 504 of a collection of 1223 > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -- It was such a lovely day I thought it a pity to get up. [15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian This is random quote 684 of a collection of 1223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20020405123145.01c10620>