From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 01:02:33 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF7C532D for ; Thu, 6 Dec 2012 01:02:33 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by mx1.freebsd.org (Postfix) with ESMTP id 90A018FC08 for ; Thu, 6 Dec 2012 01:02:33 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id n9so7521934oag.13 for ; Wed, 05 Dec 2012 17:02:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9AM8jWB18RB5c+sqkNKFNVei2VPVQ8Op1wZj8TOF+3o=; b=M1xKJwOMs3NabcQowYnSCqVUvNR7qHNKaN0cMLpyzKMPIN7K1yCySQ8OkMTCxlu9Ro 7oo7rZergcFpsOMywS/f/Zs25iEw92YGtp6tJmkaz1ierPaPFQX/jsitvPJGz2mHVTcX KtAIYK2KJmqbvr7OlkEtVRAxsQnaS5ahC3WXyRNk/ELDeApKv7rt3dvdb3sZ/hTxY3HP VovdVXNBe4auDsC7mPDfWiOcCEcgMtvAJmIXBvMvUeb2qifClrP+HsFjeeXWKpAMNR9s KV1XUnxGqleyjh8zssWVBUgqMhFTsgpBYwBmCx9Ye324Y3JGexxY2NZQ6hV5wK4Wg9+D nq0Q== MIME-Version: 1.0 Received: by 10.182.18.196 with SMTP id y4mr11574916obd.52.1354755752712; Wed, 05 Dec 2012 17:02:32 -0800 (PST) Received: by 10.76.80.104 with HTTP; Wed, 5 Dec 2012 17:02:32 -0800 (PST) In-Reply-To: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> Date: Wed, 5 Dec 2012 19:02:32 -0600 Message-ID: Subject: Re: Somewhat OT: Is Full Command Logging Possible? From: Adam Vande More To: Damien Fleuriot Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: Tim Daneliuk , FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 01:02:34 -0000 On Wed, Dec 5, 2012 at 5:42 PM, Damien Fleuriot wrote: > > > On 6 Dec 2012, at 00:19, Tim Daneliuk wrote: > > > sudo chown root:wheel my_naughty_script > > sudo chmod 700 my_naughty script > > sudo ./my_naughty_script > > > > The sudo log will note that I ran the script, but not what it did. > > > > > > wow, way to complicate matters. > > sudo csh > > > > > So Gentle Geniuses, is there prior art here that could be applied > > to give me full coverage logging of every action taken by any person or > > thing running with effective or actual root? > > > > P.S. I do not believe > > Now would be a good time to start, then. > > The only things you need to ensure are: > - auditd cannot be killed off (this is an interesting bit actually, anyone > knows how to do that ?) > Can't be done really for an id 0 account. Not without extensive customization anyway. However the Audit Distribution Daemon was recently committed so audit logs could potentially be stored in different location easily. > - the audit trail files can only be appended to ; man chflags Audit Distribution Daemon would alleviate this as well. -- Adam Vande More