From owner-freebsd-questions@FreeBSD.ORG Wed Dec 5 23:47:22 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C6EA632C for ; Wed, 5 Dec 2012 23:47:22 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id 7B81A8FC0C for ; Wed, 5 Dec 2012 23:47:22 +0000 (UTC) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id qB5NlE8M008378 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 5 Dec 2012 17:47:14 -0600 (CST) (envelope-from tundra@tundraware.com) Message-ID: <50BFDCFD.4010108@tundraware.com> Date: Wed, 05 Dec 2012 17:47:09 -0600 From: Tim Daneliuk User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 CC: FreeBSD Mailing List Subject: Re: Somewhat OT: Is Full Command Logging Possible? References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> In-Reply-To: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (ozzie.tundraware.com [192.168.0.1]); Wed, 05 Dec 2012 17:47:14 -0600 (CST) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: qB5NlE8M008378 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2012 23:47:22 -0000 On 12/05/2012 05:42 PM, Damien Fleuriot wrote: > > > On 6 Dec 2012, at 00:19, Tim Daneliuk wrote: > >> sudo chown root:wheel my_naughty_script >> sudo chmod 700 my_naughty script >> sudo ./my_naughty_script >> >> The sudo log will note that I ran the script, but not what it did. >> >> > > wow, way to complicate matters. Hey, I didn't dream up this problem :) > > sudo csh > > > >> So Gentle Geniuses, is there prior art here that could be applied >> to give me full coverage logging of every action taken by any person or >> thing running with effective or actual root? >> >> P.S. I do not believe > > Now would be a good time to start, then. Well ... does auditd provide a record of every command issued within a script? I was under the impression (and I may well be wrong) that it noted only the name of the script being executed. > > The only things you need to ensure are: > - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?) > - the audit trail files can only be appended to ; man chflags > > > An alternative would be lshell, however you'll have to whitelist commands people can execute. > > Remember that we want admins to be able to do *anything* but we just want to log what they do, in fact do. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/