From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 20:10:36 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C203896E for ; Thu, 6 Dec 2012 20:10:36 +0000 (UTC) (envelope-from ateve@sohara.org) Received: from uk1rly2283.eechost.net (relay01a.mail.uk1.eechost.net [217.69.40.75]) by mx1.freebsd.org (Postfix) with ESMTP id 63B908FC17 for ; Thu, 6 Dec 2012 20:10:35 +0000 (UTC) Received: from [31.186.37.179] (helo=smtp.marelmo.com) by uk1rly2283.eechost.net with esmtpa (Exim 4.72) (envelope-from ) id 1Tghmm-0004xH-Da; Thu, 06 Dec 2012 20:11:08 +0000 Received: from [192.168.63.1] (helo=steve.marelmo.com) by smtp.marelmo.com with smtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Tghm5-000NRr-18; Thu, 06 Dec 2012 20:10:25 +0000 Date: Thu, 6 Dec 2012 20:10:23 +0000 From: Steve O'Hara-Smith To: freebsd-questions@freebsd.org Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-Id: <20121206201023.750cace0181d4756a3111c2f@sohara.org> In-Reply-To: <50C0EFA4.3010902@tundraware.com> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> <50C0EFA4.3010902@tundraware.com> X-Mailer: Sylpheed 3.2.0 (GTK+ 2.24.6; amd64-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Auth-Info: 15567@permanet.ie (plain) Cc: tundra@tundraware.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 20:10:36 -0000 On Thu, 06 Dec 2012 13:19:00 -0600 Tim Daneliuk wrote: > On 12/06/2012 12:55 PM, n j wrote: > > On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk > > wrote: > >> ... > >> Well ... does auditd provide a record of every command issued within a > >> script? > >> I was under the impression (and I may well be wrong) that it noted > >> only the name of the script being executed. > > > > Even if you configured auditd to record every command issued within a > > script, you'd still have a problem if a malicious user put the same > > commands inside a binary. > > > > As some people already pointed out, there is practically no way to > > control users once you give them root privileges. > > I understand this. Even the organization in question understands > this. They are not trying to *prevent* any kind of access. All > they're trying to do *log* it. Why? To meet some obscure > compliance requirement they have to adhere to in order to > remain in business. It occurs to me to wonder how the users are connecting to the machine and whether the logging could be achieved at that level using (for example) a customised sshd that logs all the traffic. It doesn't quite log what commands get executed but it does log what gets typed and everything else will follow from that. -- Steve O'Hara-Smith