Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 6 Dec 2012 00:42:35 +0100
From:      Damien Fleuriot <ml@my.gd>
To:        Tim Daneliuk <tundra@tundraware.com>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Somewhat OT: Is Full Command Logging Possible?
Message-ID:  <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>
In-Reply-To: <50BFD674.8000305@tundraware.com>
References:  <50BFD674.8000305@tundraware.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote:

>      sudo chown root:wheel my_naughty_script
>      sudo chmod  700 my_naughty script
>      sudo ./my_naughty_script
>=20
>   The sudo log will note that I ran the script, but not what it did.
>=20
>=20

wow, way to complicate matters.

sudo csh



> So Gentle Geniuses, is there prior art here that could be applied
> to give me full coverage logging of every action taken by any person or
> thing running with effective or actual root?
>=20
> P.S. I do not believe

Now would be a good time to start, then.

The only things you need to ensure are:
- auditd cannot be killed off (this is an interesting bit actually, anyone k=
nows how to do that ?)
- the audit trail files can only be appended to ; man chflags


An alternative would be lshell, however you'll have to whitelist commands pe=
ople can execute.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8BFA2629-45CA-491B-9BA8-E8AC78A4D66E>