Date: Thu, 6 Dec 2012 10:26:14 +0100 From: Fleuriot Damien <ml@my.gd> To: Kurt Buff <kurt.buff@gmail.com> Cc: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <CF3B41F4-5B38-4468-914A-B73E7EBEDEB9@my.gd> In-Reply-To: <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com> References: <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.buff@gmail.com> wrote: > On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> = wrote: >> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>>=20 >>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com> >>> wrote: >>>>=20 >>>> I am working with an institution that today provides limited = privilege >>>> escalation >>>> on their servers via very specific sudo rules. The problem is that = the >>>> administrators can do 'sudo su -'. >>>=20 >>> <snip> >>>=20 >>>=20 >>> sudo is misconfigured. >>>=20 >>> man 5 sudoers and man 8 visudo >>>=20 >>>=20 >>>=20 >>> Kurt >>>=20 >>=20 >> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >> saying. Are you suggesting that there is a way to configure >> sudo so that if someone does 'sudo su -' to become an admin, >> sudo can be made to log every command they execute thereafter? >=20 > No, I'm saying that sudo should not be configured to allow 'sudo su = -'. This is an ineffective solution. So what, you're going to forbid "sudo su -" Fine, I'll just run "sudo csh" . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and = "sudo ~/toto" . Basically, anything short of actually whitelisting what people can run = won't do. And apparently that's not in Tim's list of desirable things ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CF3B41F4-5B38-4468-914A-B73E7EBEDEB9>