Date: Wed, 5 Dec 2012 19:02:32 -0600 From: Adam Vande More <amvandemore@gmail.com> To: Damien Fleuriot <ml@my.gd> Cc: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <CA%2BtpaK3Mw9_o9fsK-GTBvEMMHxsdG6Dcqms2zLiFpzH6kyNtpw@mail.gmail.com> In-Reply-To: <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 5, 2012 at 5:42 PM, Damien Fleuriot <ml@my.gd> wrote: > > > On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote: > > > sudo chown root:wheel my_naughty_script > > sudo chmod 700 my_naughty script > > sudo ./my_naughty_script > > > > The sudo log will note that I ran the script, but not what it did. > > > > > > wow, way to complicate matters. > > sudo csh > > > > > So Gentle Geniuses, is there prior art here that could be applied > > to give me full coverage logging of every action taken by any person or > > thing running with effective or actual root? > > > > P.S. I do not believe > > Now would be a good time to start, then. > > The only things you need to ensure are: > - auditd cannot be killed off (this is an interesting bit actually, anyone > knows how to do that ?) > Can't be done really for an id 0 account. Not without extensive customization anyway. However the Audit Distribution Daemon was recently committed so audit logs could potentially be stored in different location easily. > - the audit trail files can only be appended to ; man chflags Audit Distribution Daemon would alleviate this as well. -- Adam Vande More
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BtpaK3Mw9_o9fsK-GTBvEMMHxsdG6Dcqms2zLiFpzH6kyNtpw>