From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 19:18:32 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 42C29479 for ; Thu, 6 Dec 2012 19:18:32 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id ED4F68FC12 for ; Thu, 6 Dec 2012 19:18:31 +0000 (UTC) Received: from [10.219.130.115] ([66.175.245.1]) (authenticated bits=0) by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id qB6JIJXu059380 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 6 Dec 2012 13:18:20 -0600 (CST) (envelope-from tundra@tundraware.com) Message-ID: <50C0EFA4.3010902@tundraware.com> Date: Thu, 06 Dec 2012 13:19:00 -0600 From: Tim Daneliuk Organization: TundraWare Inc. User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: n j Subject: Re: Somewhat OT: Is Full Command Logging Possible? References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (ozzie.tundraware.com [75.145.138.73]); Thu, 06 Dec 2012 13:18:20 -0600 (CST) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: qB6JIJXu059380 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: tundra@tundraware.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 19:18:32 -0000 On 12/06/2012 12:55 PM, n j wrote: > On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk wrote: >> ... >> Well ... does auditd provide a record of every command issued within a >> script? >> I was under the impression (and I may well be wrong) that it noted only >> the name of the script being executed. > > Even if you configured auditd to record every command issued within a > script, you'd still have a problem if a malicious user put the same > commands inside a binary. > > As some people already pointed out, there is practically no way to > control users once you give them root privileges. I understand this. Even the organization in question understands this. They are not trying to *prevent* any kind of access. All they're trying to do *log* it. Why? To meet some obscure compliance requirement they have to adhere to in order to remain in business. I know all of this is silly but that's our future when you let Our Fine Government regulate pretty much anything. > > The only thing that would really solve your problem is probably > something like http://www.balabit.com/network-security/scb/features > (no personal experience with it, but seems it does what you need). > -- ----------------------------------------------------------------------- Tim Daneliuk