Date: Thu, 6 Dec 2012 00:42:35 +0100 From: Damien Fleuriot <ml@my.gd> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> In-Reply-To: <50BFD674.8000305@tundraware.com> References: <50BFD674.8000305@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote: > sudo chown root:wheel my_naughty_script > sudo chmod 700 my_naughty script > sudo ./my_naughty_script >=20 > The sudo log will note that I ran the script, but not what it did. >=20 >=20 wow, way to complicate matters. sudo csh > So Gentle Geniuses, is there prior art here that could be applied > to give me full coverage logging of every action taken by any person or > thing running with effective or actual root? >=20 > P.S. I do not believe Now would be a good time to start, then. The only things you need to ensure are: - auditd cannot be killed off (this is an interesting bit actually, anyone k= nows how to do that ?) - the audit trail files can only be appended to ; man chflags An alternative would be lshell, however you'll have to whitelist commands pe= ople can execute.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8BFA2629-45CA-491B-9BA8-E8AC78A4D66E>