From owner-freebsd-questions@FreeBSD.ORG Wed Dec 19 01:33:44 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 43D3DD7B for ; Wed, 19 Dec 2012 01:33:44 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 043A58FC17 for ; Wed, 19 Dec 2012 01:33:43 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.31]) by ltcfislmsgpa05.fnfis.com (8.14.5/8.14.5) with ESMTP id qBJ1XVUG023606 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 18 Dec 2012 19:33:31 -0600 Received: from [10.0.0.102] (10.14.152.61) by smtp.fisglobal.com (10.132.206.31) with Microsoft SMTP Server (TLS) id 14.2.309.2; Tue, 18 Dec 2012 19:33:31 -0600 Subject: Re: Somewhat OT: Is Full Command Logging Possible? MIME-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset="windows-1252" From: Devin Teske In-Reply-To: <50D115D9.6090608@tundraware.com> Date: Tue, 18 Dec 2012 17:33:30 -0800 Content-Transfer-Encoding: quoted-printable Message-ID: <57543CB2-2C92-434A-959B-C1CF5FC01600@fisglobal.com> References: <50BFD674.8000305@tundraware.com> <50BFDD51.5000100@tundraware.com> <20689.4087.859208.619511@gromit.timing.com> <50D113C0.3020607@tundraware.com> <50D115D9.6090608@tundraware.com> To: Tim Daneliuk X-Mailer: Apple Mail (2.1283) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8327, 1.0.431, 0.0.0000 definitions=2012-12-19_01:2012-12-18,2012-12-19,1970-01-01 signatures=0 Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Dec 2012 01:33:44 -0000 On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: > On 12/18/2012 07:09 PM, Tim Daneliuk wrote: >> On 12/18/2012 06:53 PM, John Hein wrote: >>> Tim Daneliuk wrote at 17:48 -0600 on Dec 5, 2012: >>> > On 12/05/2012 05:44 PM, Kurt Buff wrote: >>> > > On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk wrote: >>> > >> I am working with an institution that today provides limited priv= ilege >>> > >> escalation >>> > >> on their servers via very specific sudo rules. The problem is th= at the >>> > >> administrators can do 'sudo su -'. >>> > > >>> > > >>> > > >>> > > sudo is misconfigured. >>> > > >>> > > man 5 sudoers and man 8 visudo >>> > > >>> > > >>> > > >>> > > Kurt >>> > > >>> > >>> > I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >>> > saying. Are you suggesting that there is a way to configure >>> > sudo so that if someone does 'sudo su -' to become an admin, >>> > sudo can be made to log every command they execute thereafter? >>>=20 >>> See log_input and log_output in sudoers(5) >>=20 >> Thanks so much John, that's the secret sauce I was looking for... >>=20 >>=20 >=20 > One further question, if I may. If I do this: >=20 > sudo su - >=20 > Will log_input record everything I do once I've been promoted to > root? I ask because my initial experiments seem to show that all > that's getting recorded is the content of the sudo command itself, > not the subsequent actions=85 >=20 Correct, sudo is blind to the actions performed once the command requested = is executed (in this case, "su" and subsequently a shell followed by more a= ctions). I've suggested the lrexec module for catching everything, or you can look i= nto the auditdistd (distributed auditing collection/collation to a remote/c= entral server) approach, the praudit approach, or any of the other pieces o= f software mentions. --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.