Date: Thu, 6 Dec 2012 10:22:20 +0100 From: Fleuriot Damien <ml@my.gd> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <E47B19F8-8881-465F-9F0B-FC7CAD72F9B2@my.gd> In-Reply-To: <50BFDCFD.4010108@tundraware.com> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 6, 2012, at 12:47 AM, Tim Daneliuk <tundra@tundraware.com> wrote: > On 12/05/2012 05:42 PM, Damien Fleuriot wrote: >>=20 >>=20 >> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra@tundraware.com> wrote: >>=20 >>> sudo chown root:wheel my_naughty_script >>> sudo chmod 700 my_naughty script >>> sudo ./my_naughty_script >>>=20 >>> The sudo log will note that I ran the script, but not what it did. >>>=20 >>>=20 >>=20 >> wow, way to complicate matters. >=20 > Hey, I didn't dream up this problem :) >=20 >>=20 >> sudo csh >>=20 >>=20 >>=20 >>> So Gentle Geniuses, is there prior art here that could be applied >>> to give me full coverage logging of every action taken by any person = or >>> thing running with effective or actual root? >>>=20 >>> P.S. I do not believe >>=20 >> Now would be a good time to start, then. >=20 >=20 > Well ... does auditd provide a record of every command issued within a = script? > I was under the impression (and I may well be wrong) that it noted = only > the name of the script being executed. >=20 While it won't log every single command invoked from inside a script, it = *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no = hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. >>=20 >> The only things you need to ensure are: >> - auditd cannot be killed off (this is an interesting bit actually, = anyone knows how to do that ?) >> - the audit trail files can only be appended to ; man chflags >>=20 >>=20 >> An alternative would be lshell, however you'll have to whitelist = commands people can execute. >>=20 >>=20 >=20 > Remember that we want admins to be able to do *anything* but we just = want > to log what they do, in fact do. >=20 > --=20 > = --------------------------------------------------------------------------= -- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E47B19F8-8881-465F-9F0B-FC7CAD72F9B2>