From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 09:22:23 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B89E56B for ; Thu, 6 Dec 2012 09:22:23 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) by mx1.freebsd.org (Postfix) with ESMTP id 80A658FC0C for ; Thu, 6 Dec 2012 09:22:21 +0000 (UTC) Received: by mail-wi0-f180.google.com with SMTP id hj13so246144wib.13 for ; Thu, 06 Dec 2012 01:22:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=vkP0V/HEz6Y1wMq5kj1oEpyMb8kYRaJs4O37C7VU+ww=; b=GYiruSRFRX+bFBFtVER5KIz0ZCY7YcL96vfnXOFvI2YHEm2YoytyAZmIKiwmgSIaHb TIcGynsZRGOJAJfEaBMzc2KnIashLPlUanU6w1UP7SLdmd7AbNPLDGQv/FQWf10mz/0K iX9jLL+voxwB60w3A/BLfQLaaFqdZMGWZKe7ijmxooy0WufuZMRFKQrEjwMUIL5oBILy uXK5N2wvKDSxzZkn7O1GvBZMzlS43w7EBpr5UUUtlLyQh4SffguoC0kKTAeTTyVjkY0E JRBqZvYQv0WKx7KHNGrOchEOao521rgQBWPKA4D84J+eEYYOvgTo0PeRy/AiRJ5IqgQj 8I2Q== Received: by 10.180.86.167 with SMTP id q7mr1392196wiz.21.1354785740059; Thu, 06 Dec 2012 01:22:20 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id cf6sm10153734wib.3.2012.12.06.01.22.17 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 06 Dec 2012 01:22:19 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Somewhat OT: Is Full Command Logging Possible? From: Fleuriot Damien In-Reply-To: <50BFDCFD.4010108@tundraware.com> Date: Thu, 6 Dec 2012 10:22:20 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> To: Tim Daneliuk X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQljqRXEyoYa2xrvWdm/xqauUtW2jzhfyoyADkULoWxACFsucLpEJA9rtjfkaM3dphV3ohEA Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 09:22:23 -0000 On Dec 6, 2012, at 12:47 AM, Tim Daneliuk wrote: > On 12/05/2012 05:42 PM, Damien Fleuriot wrote: >>=20 >>=20 >> On 6 Dec 2012, at 00:19, Tim Daneliuk wrote: >>=20 >>> sudo chown root:wheel my_naughty_script >>> sudo chmod 700 my_naughty script >>> sudo ./my_naughty_script >>>=20 >>> The sudo log will note that I ran the script, but not what it did. >>>=20 >>>=20 >>=20 >> wow, way to complicate matters. >=20 > Hey, I didn't dream up this problem :) >=20 >>=20 >> sudo csh >>=20 >>=20 >>=20 >>> So Gentle Geniuses, is there prior art here that could be applied >>> to give me full coverage logging of every action taken by any person = or >>> thing running with effective or actual root? >>>=20 >>> P.S. I do not believe >>=20 >> Now would be a good time to start, then. >=20 >=20 > Well ... does auditd provide a record of every command issued within a = script? > I was under the impression (and I may well be wrong) that it noted = only > the name of the script being executed. >=20 While it won't log every single command invoked from inside a script, it = *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no = hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. >>=20 >> The only things you need to ensure are: >> - auditd cannot be killed off (this is an interesting bit actually, = anyone knows how to do that ?) >> - the audit trail files can only be appended to ; man chflags >>=20 >>=20 >> An alternative would be lshell, however you'll have to whitelist = commands people can execute. >>=20 >>=20 >=20 > Remember that we want admins to be able to do *anything* but we just = want > to log what they do, in fact do. >=20 > --=20 > = --------------------------------------------------------------------------= -- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"