From owner-freebsd-questions@FreeBSD.ORG Wed Dec 5 23:19:38 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A45B4988 for ; Wed, 5 Dec 2012 23:19:38 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id 461F48FC14 for ; Wed, 5 Dec 2012 23:19:37 +0000 (UTC) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id qB5NJLYw007899 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 5 Dec 2012 17:19:21 -0600 (CST) (envelope-from tundra@tundraware.com) Message-ID: <50BFD674.8000305@tundraware.com> Date: Wed, 05 Dec 2012 17:19:16 -0600 From: Tim Daneliuk User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: FreeBSD Mailing List Subject: Somewhat OT: Is Full Command Logging Possible? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (ozzie.tundraware.com [192.168.0.1]); Wed, 05 Dec 2012 17:19:21 -0600 (CST) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: qB5NJLYw007899 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2012 23:19:38 -0000 This is a little bit outside the strict boundaries of a FreeBSD question, but I am hoping someone in this community has solved this problem and that I might be able to adapt it for non-FreeBSD systems (AIX and Linux, specifically). I am working with an institution that today provides limited privilege escalation on their servers via very specific sudo rules. The problem is that the administrators can do 'sudo su -'. The fact that they became root is logged, *but everything thereafter they do is not*. What these people need is something that does the following things - this need not be sudo based, any FOSS or commercial solution would be considered: - Log the fact that someone became effective root - Log every command they execute *as* root - If they run a script as root, log the individual actions of that script - Have visibility into all this no matter how they access the system - console, ssh, xterm .... Nothing I have found so far meets all these criterion. Verbose syslogging will not catch the case where you start a subshell from the main shell. Keylogging seems to only have limited coverage and does not appear it would work if, say, I log in via ssh and then kick off an xterm. Other solutions fail if I start an editor and shell out from there. The current proposal is to install sudo rules such that NO one is allowed 'sudo su -' and *every single command* you want to run as root has to start with 'sudo'. This has two big drawbacks: - It's an enormous pain for the admins and fundamentally changes their workflow - It cannot see into scripts. So I can circumvent it pretty easily with: sudo chown root:wheel my_naughty_script sudo chmod 700 my_naughty script sudo ./my_naughty_script The sudo log will note that I ran the script, but not what it did. So Gentle Geniuses, is there prior art here that could be applied to give me full coverage logging of every action taken by any person or thing running with effective or actual root? P.S. I do not believe auditd does this either. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/