Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 6 Dec 2012 10:26:14 +0100
From:      Fleuriot Damien <ml@my.gd>
To:        Kurt Buff <kurt.buff@gmail.com>
Cc:        Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Somewhat OT: Is Full Command Logging Possible?
Message-ID:  <CF3B41F4-5B38-4468-914A-B73E7EBEDEB9@my.gd>
In-Reply-To: <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
References:  <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.buff@gmail.com> wrote:

> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
>> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>> 
>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com>
>>> wrote:
>>>> 
>>>> I am working with an institution that today provides limited privilege
>>>> escalation
>>>> on their servers via very specific sudo rules.  The problem is that the
>>>> administrators can do 'sudo su -'.
>>> 
>>> <snip>
>>> 
>>> 
>>> sudo is misconfigured.
>>> 
>>> man 5 sudoers and man 8 visudo
>>> 
>>> 
>>> 
>>> Kurt
>>> 
>> 
>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>> saying.  Are you suggesting that there is a way to configure
>> sudo so that if someone does 'sudo su -' to become an admin,
>> sudo can be made to log every command they execute thereafter?
> 
> No, I'm saying that sudo should not be configured to allow 'sudo su -'.


This is an ineffective solution.

So what, you're going to forbid "sudo su -"

Fine, I'll just run "sudo csh" .

If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" .



Basically, anything short of actually whitelisting what people can run won't do.

And apparently that's not in Tim's list of desirable things ;)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CF3B41F4-5B38-4468-914A-B73E7EBEDEB9>