Date: Wed, 05 Dec 2012 17:47:09 -0600 From: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <50BFDCFD.4010108@tundraware.com> In-Reply-To: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/05/2012 05:42 PM, Damien Fleuriot wrote: > > > On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote: > >> sudo chown root:wheel my_naughty_script >> sudo chmod 700 my_naughty script >> sudo ./my_naughty_script >> >> The sudo log will note that I ran the script, but not what it did. >> >> > > wow, way to complicate matters. Hey, I didn't dream up this problem :) > > sudo csh > > > >> So Gentle Geniuses, is there prior art here that could be applied >> to give me full coverage logging of every action taken by any person or >> thing running with effective or actual root? >> >> P.S. I do not believe > > Now would be a good time to start, then. Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. > > The only things you need to ensure are: > - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?) > - the audit trail files can only be appended to ; man chflags > > > An alternative would be lshell, however you'll have to whitelist commands people can execute. > > Remember that we want admins to be able to do *anything* but we just want to log what they do, in fact do. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50BFDCFD.4010108>