From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 02:27:04 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 87A67C36 for ; Thu, 6 Dec 2012 02:27:04 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com [75.180.132.120]) by mx1.freebsd.org (Postfix) with ESMTP id 344D88FC08 for ; Thu, 6 Dec 2012 02:27:03 +0000 (UTC) X-Authority-Analysis: v=2.0 cv=OOOlLFmB c=1 sm=0 a=+L5dYfeubEW4PLvjDgtIXQ==:17 a=WAZfUmVf-EkA:10 a=CTRC7nxYIvUA:10 a=05ChyHeVI94A:10 a=kj9zAlcOel0A:10 a=ayC55rCoAAAA:8 a=cd2htP0gDKkA:10 a=MnkTnmICAAAA:8 a=W6u0E1Bvrrh4OckPRT0A:9 a=CjuIK1q_8ugA:10 a=VAeyC-Qft3gA:10 a=+L5dYfeubEW4PLvjDgtIXQ==:117 X-Cloudmark-Score: 0 X-Authenticated-User: X-Originating-IP: 76.184.157.127 Received: from [76.184.157.127] ([76.184.157.127:53130] helo=[10.0.0.7]) by cdptpa-oedge03.mail.rr.com (envelope-from ) (ecelerity 2.2.3.46 r()) with ESMTP id E6/0B-21565-07200C05; Thu, 06 Dec 2012 02:26:57 +0000 Date: Wed, 05 Dec 2012 20:26:55 -0600 From: Paul Schmehl To: Tim Daneliuk Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <2C35284AF2FD11FE2D62871A@Pauls-MacBook-Pro.local> In-Reply-To: <50BFEE61.7070005@tundraware.com> References: <50BFD674.8000305@tundraware.com> <50BFDD51.5000100@tundraware.com> <50BFEE61.7070005@tundraware.com> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 02:27:04 -0000 --On December 5, 2012 7:01:21 PM -0600 Tim Daneliuk wrote: > On 12/05/2012 06:35 PM, Kurt Buff wrote: >> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk >> wrote: >>> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>>> >>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk >>>> wrote: >>>>> >>>>> I am working with an institution that today provides limited privilege >>>>> escalation >>>>> on their servers via very specific sudo rules. The problem is that >>>>> the administrators can do 'sudo su -'. >>>> >>>> >>>> >>>> >>>> sudo is misconfigured. >>>> >>>> man 5 sudoers and man 8 visudo >>>> >>>> >>>> >>>> Kurt >>>> >>> >>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >>> saying. Are you suggesting that there is a way to configure >>> sudo so that if someone does 'sudo su -' to become an admin, >>> sudo can be made to log every command they execute thereafter? >> >> No, I'm saying that sudo should not be configured to allow 'sudo su -'. >> >> Since you say that the users are provided "limited privilege >> escalation on their servers via very specific sudo rules", it seems to >> me that one of three things is going wrong: >> >> o- Something is wrong with the configuration of sudoers if they can su >> to root when they shouldn't be able to do so >> >> o- Someone has misconceived what "limited privilege escalation on >> their servers via very specific sudo rules" actually means, and >> deliberately has it configured to allows users to su to root >> >> o- The users' accounts are already root equivalent, which, depending >> on the version and configuration of sudo, might give them the ability >> to sudo to root regardless of the contents of the sudoers file (see, >> for instance, the screen in FreeBSD when you perform 'cd >> /usr/ports/security/sudo' and then 'make config') >> >> Kurt >> > Oh, OK, I wasn't being clear: > > - *Some* users are granted the ability to do sudo su - These > are the sysadmins. > > - All other user are given selective ability to run only a few > things via sudo. This varies by department and is controlled > through a combination of sudo rules and central LDAP group > membership control. This is necessary because, for example, > some DBAs need this when installing a particular client. > Install security/sudoscript. Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell