From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 19 00:53:42 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id DDF4233A
 for <freebsd-questions@freebsd.org>; Wed, 19 Dec 2012 00:53:42 +0000 (UTC)
 (envelope-from jhein@symmetricom.com)
Received: from duck.symmetricom.us (duck.symmetricom.us [206.168.13.214])
 by mx1.freebsd.org (Postfix) with ESMTP id 9F3DA8FC17
 for <freebsd-questions@freebsd.org>; Wed, 19 Dec 2012 00:53:42 +0000 (UTC)
Received: from gromit.timing.com (gromit.timing.com [206.168.13.209])
 by duck.symmetricom.us (8.14.5/8.14.5) with ESMTP id qBJ0rcwu069707;
 Tue, 18 Dec 2012 17:53:38 -0700 (MST)
 (envelope-from jhein@symmetricom.com)
Received: from gromit.timing.com (localhost [127.0.0.1])
 by gromit.timing.com (8.14.5/8.14.5) with ESMTP id qBJ0rGx0004442;
 Tue, 18 Dec 2012 17:53:16 -0700 (MST)
 (envelope-from jhein@gromit.timing.com)
Received: (from jhein@localhost)
 by gromit.timing.com (8.14.5/8.14.5/Submit) id qBJ0rChm004441;
 Tue, 18 Dec 2012 17:53:12 -0700 (MST) (envelope-from jhein)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20689.4087.859208.619511@gromit.timing.com>
Date: Tue, 18 Dec 2012 17:53:11 -0700
From: John Hein <jhein@symmetricom.com>
To: Tim Daneliuk <tundra@tundraware.com>
Subject: Re: Somewhat OT: Is Full Command Logging Possible?
In-Reply-To: <50BFDD51.5000100@tundraware.com>
References: <50BFD674.8000305@tundraware.com>
 <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com>
 <50BFDD51.5000100@tundraware.com>
X-Mailer: VM 8.2.0b-turnk-1413 under 24.2.1 (i386-portbld-freebsd7.4)
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 00:53:42 -0000

Tim Daneliuk wrote at 17:48 -0600 on Dec  5, 2012:
 > On 12/05/2012 05:44 PM, Kurt Buff wrote:
 > > On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
 > >> I am working with an institution that today provides limited privilege
 > >> escalation
 > >> on their servers via very specific sudo rules.  The problem is that the
 > >> administrators can do 'sudo su -'.
 > > <snip>
 > >
 > >
 > > sudo is misconfigured.
 > >
 > > man 5 sudoers and man 8 visudo
 > >
 > >
 > >
 > > Kurt
 > >
 >
 > I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
 > saying.  Are you suggesting that there is a way to configure
 > sudo so that if someone does 'sudo su -' to become an admin,
 > sudo can be made to log every command they execute thereafter?

See log_input and log_output in sudoers(5)