From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  6 18:56:19 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 8C3C2E53
 for <freebsd-questions@freebsd.org>; Thu,  6 Dec 2012 18:56:19 +0000 (UTC)
 (envelope-from nino80@gmail.com)
Received: from mail-ie0-f173.google.com (mail-ie0-f173.google.com
 [209.85.223.173])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F9FD8FC0C
 for <freebsd-questions@freebsd.org>; Thu,  6 Dec 2012 18:56:19 +0000 (UTC)
Received: by mail-ie0-f173.google.com with SMTP id e13so13232235iej.18
 for <freebsd-questions@freebsd.org>; Thu, 06 Dec 2012 10:56:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :content-type; bh=ReAx7OWTBD/RbHkuJ75viczuR+oS0w8g6vcuGHVrxnU=;
 b=0+vrvQVnZenWEahm8uUq5b+EvYeXqTtOxvT8jI+eLdh1UnD6lfY4n8tv1u65w5FSz/
 8w3KiIkESKhWn/76drYug9SrDuOusIcH9S/6XkTCRE04KF1kYKT1kQDy+zePltVTSXLt
 yQ9p+qumLu5g7cjJ512npx4Nr5ml0juhlpS70wl9Wnx5wrYj3cVowXL67Ncfn2GreoBV
 VKd2cJrNGupOfUHvcSdN7PR186dPkiE/3NlSv2BoGmKijn/sQcY9iZGq346EMOmTXj0D
 0SX+S22VLmnJuPOJuuMOWTIbf2MAJflUty0HTkVfAR8BHgE0IWoJasPaTGBsQXpNEIO+
 e8KQ==
Received: by 10.50.12.166 with SMTP id z6mr2557692igb.56.1354820178564; Thu,
 06 Dec 2012 10:56:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.43.19.71 with HTTP; Thu, 6 Dec 2012 10:55:58 -0800 (PST)
In-Reply-To: <50BFDCFD.4010108@tundraware.com>
References: <50BFD674.8000305@tundraware.com>
 <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>
 <50BFDCFD.4010108@tundraware.com>
From: n j <nino80@gmail.com>
Date: Thu, 6 Dec 2012 19:55:58 +0100
Message-ID: <CALf6cgb0+GXrtTymOPOmjV_C2sk7EaGK=qJOF2z4mB3pQkzV_g@mail.gmail.com>
Subject: Re: Somewhat OT: Is Full Command Logging Possible?
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2012 18:56:19 -0000

On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk <tundra@tundraware.com> wrote:
> ...
> Well ... does auditd provide a record of every command issued within a
> script?
> I was under the impression (and I may well be wrong) that it  noted only
> the name of the script being executed.

Even if you configured auditd to record every command issued within a
script, you'd still have a problem if a malicious user put the same
commands inside a binary.

As some people already pointed out, there is practically no way to
control users once you give them root privileges.

The only thing that would really solve your problem is probably
something like http://www.balabit.com/network-security/scb/features
(no personal experience with it, but seems it does what you need).

-- 
Nino