From owner-freebsd-questions@FreeBSD.ORG Wed Dec 5 23:43:19 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 942A7BB for ; Wed, 5 Dec 2012 23:43:19 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by mx1.freebsd.org (Postfix) with ESMTP id 1A59F8FC13 for ; Wed, 5 Dec 2012 23:43:18 +0000 (UTC) Received: by mail-wi0-f174.google.com with SMTP id hm9so46190wib.13 for ; Wed, 05 Dec 2012 15:43:17 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=OJ/2sAVhDYliW9LyAxAAQlG34adH9Mu1LYEXZ1Ou/x0=; b=UO4gJrvhJmcWgCaAzQLg6rArsCoJG87I2tCURNB0yObXQTqsmGrUTEBuZUcvVMA6bY F3RUaLfRia68YuUiEkO5ruVtFSZoz8x5y5+ntAdrMHENkEXzWGAGfH5aSEb8bFWlnuNM kAGjNoGIyJCbogYiATZrAW2fCXuvj9YLxP0y8fFSTNrz51jQdPBYcUBdI4EEFp6oMZnj MV7kvX28VgECByrpwIX1q43M/jbtF/F573XFmW84FtXchgehXOiCWb+5tOZ6bljiO53p 2vKCdXLHEsA4KXAV45Bd3HeY/RzTES4HumW8Ufn9SZfPRP7AIVfdSrzs1TBcSyPVi6SW p1aQ== Received: by 10.180.20.109 with SMTP id m13mr5965232wie.16.1354750997371; Wed, 05 Dec 2012 15:43:17 -0800 (PST) Received: from [10.9.246.181] ([92.90.20.47]) by mx.google.com with ESMTPS id dm3sm21055815wib.9.2012.12.05.15.43.15 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 05 Dec 2012 15:43:16 -0800 (PST) References: <50BFD674.8000305@tundraware.com> In-Reply-To: <50BFD674.8000305@tundraware.com> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> X-Mailer: iPhone Mail (9A405) From: Damien Fleuriot Subject: Re: Somewhat OT: Is Full Command Logging Possible? Date: Thu, 6 Dec 2012 00:42:35 +0100 To: Tim Daneliuk X-Gm-Message-State: ALoCoQnhcfgHNW0lzsEaQ9C8/BFkucMMXT2rh+uYdCiFAS6ZvfQpu0G7WmzXJLxlSprHRGaX4CIP Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2012 23:43:19 -0000 On 6 Dec 2012, at 00:19, Tim Daneliuk wrote: > sudo chown root:wheel my_naughty_script > sudo chmod 700 my_naughty script > sudo ./my_naughty_script >=20 > The sudo log will note that I ran the script, but not what it did. >=20 >=20 wow, way to complicate matters. sudo csh > So Gentle Geniuses, is there prior art here that could be applied > to give me full coverage logging of every action taken by any person or > thing running with effective or actual root? >=20 > P.S. I do not believe Now would be a good time to start, then. The only things you need to ensure are: - auditd cannot be killed off (this is an interesting bit actually, anyone k= nows how to do that ?) - the audit trail files can only be appended to ; man chflags An alternative would be lshell, however you'll have to whitelist commands pe= ople can execute.