Date: Thu, 6 Dec 2012 11:54:27 -0800 From: Kurt Buff <kurt.buff@gmail.com> To: freebsd-questions@freebsd.org Cc: Damien Fleuriot <ml@my.gd> Subject: Fwd: Somewhat OT: Is Full Command Logging Possible? Message-ID: <CADy1Ce6rV4WNSY-37uCmkP8FnxYGJ4ciwFfNYsPbJL2nMhCCMg@mail.gmail.com> In-Reply-To: <CADy1Ce6wfQYTBaFUBbhrewveFqxBpcTmRK-t-xETjxdZWO6Ocw@mail.gmail.com> References: <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <CADy1Ce4c2b3zFxentKvXnNw0y5zhurYgaAXWbqybgtQhG9w9ZA@mail.gmail.com> <CF3B41F4-5B38-4468-914A-B73E7EBEDEB9@my.gd> <CADy1Ce6wfQYTBaFUBbhrewveFqxBpcTmRK-t-xETjxdZWO6Ocw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, forgot to replay all... Kurt ---------- Forwarded message ---------- From: Kurt Buff <kurt.buff@gmail.com> Date: Thu, Dec 6, 2012 at 11:53 AM Subject: Re: Somewhat OT: Is Full Command Logging Possible? To: Fleuriot Damien <ml@my.gd> On Thu, Dec 6, 2012 at 1:26 AM, Fleuriot Damien <ml@my.gd> wrote: > > On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.buff@gmail.com> wrote: > >> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra@tundraware.com> wrote: >>> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>>> >>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.com> >>>> wrote: >>>>> >>>>> I am working with an institution that today provides limited privilege >>>>> escalation >>>>> on their servers via very specific sudo rules. The problem is that the >>>>> administrators can do 'sudo su -'. >>>> >>>> <snip> >>>> >>>> >>>> sudo is misconfigured. >>>> >>>> man 5 sudoers and man 8 visudo >>>> >>>> >>>> >>>> Kurt >>>> >>> >>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >>> saying. Are you suggesting that there is a way to configure >>> sudo so that if someone does 'sudo su -' to become an admin, >>> sudo can be made to log every command they execute thereafter? >> >> No, I'm saying that sudo should not be configured to allow 'sudo su -'. > > > This is an ineffective solution. > > So what, you're going to forbid "sudo su -" > > Fine, I'll just run "sudo csh" . > > If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" . > > > > Basically, anything short of actually whitelisting what people can run won't do. > > And apparently that's not in Tim's list of desirable things ;) Whitelisting commands is exactly what the sudoers file is for. If he wants to do otherwise, then he's using the wrong tool. Kurt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADy1Ce6rV4WNSY-37uCmkP8FnxYGJ4ciwFfNYsPbJL2nMhCCMg>