Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Dec 2012 17:47:09 -0600
From:      Tim Daneliuk <tundra@tundraware.com>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Somewhat OT: Is Full Command Logging Possible?
Message-ID:  <50BFDCFD.4010108@tundraware.com>
In-Reply-To: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>
References:  <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>

next in thread | previous in thread | raw e-mail | index | archive | help
On 12/05/2012 05:42 PM, Damien Fleuriot wrote:
>
>
> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote:
>
>>       sudo chown root:wheel my_naughty_script
>>       sudo chmod  700 my_naughty script
>>       sudo ./my_naughty_script
>>
>>    The sudo log will note that I ran the script, but not what it did.
>>
>>
>
> wow, way to complicate matters.

Hey, I didn't dream up this problem :)

>
> sudo csh
>
>
>
>> So Gentle Geniuses, is there prior art here that could be applied
>> to give me full coverage logging of every action taken by any person or
>> thing running with effective or actual root?
>>
>> P.S. I do not believe
>
> Now would be a good time to start, then.


Well ... does auditd provide a record of every command issued within a script?
I was under the impression (and I may well be wrong) that it  noted only
the name of the script being executed.

>
> The only things you need to ensure are:
> - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?)
> - the audit trail files can only be appended to ; man chflags
>
>
> An alternative would be lshell, however you'll have to whitelist commands people can execute.
>
>

Remember that we want admins to be able to do *anything* but we just want
to log what they do, in fact do.

-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50BFDCFD.4010108>