Date: Thu, 6 Dec 2012 10:22:20 +0100 From: Fleuriot Damien <ml@my.gd> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <E47B19F8-8881-465F-9F0B-FC7CAD72F9B2@my.gd> In-Reply-To: <50BFDCFD.4010108@tundraware.com> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 6, 2012, at 12:47 AM, Tim Daneliuk <tundra@tundraware.com> wrote: > On 12/05/2012 05:42 PM, Damien Fleuriot wrote: >> >> >> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote: >> >>> sudo chown root:wheel my_naughty_script >>> sudo chmod 700 my_naughty script >>> sudo ./my_naughty_script >>> >>> The sudo log will note that I ran the script, but not what it did. >>> >>> >> >> wow, way to complicate matters. > > Hey, I didn't dream up this problem :) > >> >> sudo csh >> >> >> >>> So Gentle Geniuses, is there prior art here that could be applied >>> to give me full coverage logging of every action taken by any person or >>> thing running with effective or actual root? >>> >>> P.S. I do not believe >> >> Now would be a good time to start, then. > > > Well ... does auditd provide a record of every command issued within a script? > I was under the impression (and I may well be wrong) that it noted only > the name of the script being executed. > While it won't log every single command invoked from inside a script, it *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. >> >> The only things you need to ensure are: >> - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?) >> - the audit trail files can only be appended to ; man chflags >> >> >> An alternative would be lshell, however you'll have to whitelist commands people can execute. >> >> > > Remember that we want admins to be able to do *anything* but we just want > to log what they do, in fact do. > > -- > ---------------------------------------------------------------------------- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E47B19F8-8881-465F-9F0B-FC7CAD72F9B2>