From owner-freebsd-questions@FreeBSD.ORG Thu Dec 6 20:51:25 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 597DEA1B for ; Thu, 6 Dec 2012 20:51:25 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 17A368FC16 for ; Thu, 6 Dec 2012 20:51:24 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.31]) by ltcfislmsgpa02.fnfis.com (8.14.5/8.14.5) with ESMTP id qB6Ki8rI014281 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 6 Dec 2012 14:44:08 -0600 Received: from [10.0.0.102] (10.14.152.61) by smtp.fisglobal.com (10.132.206.31) with Microsoft SMTP Server (TLS) id 14.2.309.2; Thu, 6 Dec 2012 14:44:07 -0600 Subject: Re: Somewhat OT: Is Full Command Logging Possible? MIME-Version: 1.0 (Apple Message framework v1283) From: Devin Teske In-Reply-To: <50BFD674.8000305@tundraware.com> Date: Thu, 6 Dec 2012 12:44:03 -0800 Message-ID: <66A35C1E-351C-477E-8655-F46264006BDA@fisglobal.com> References: <50BFD674.8000305@tundraware.com> To: Tim Daneliuk X-Mailer: Apple Mail (2.1283) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8185, 1.0.431, 0.0.0000 definitions=2012-12-06_06:2012-12-06,2012-12-06,1970-01-01 signatures=0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Dec 2012 20:51:25 -0000 On Dec 5, 2012, at 3:19 PM, Tim Daneliuk wrote: > This is a little bit outside the strict boundaries of a FreeBSD question, > but I am hoping someone in this community has solved this problem and > that I might be able to adapt it for non-FreeBSD systems (AIX and Linux, > specifically). >=20 > I am working with an institution that today provides limited privilege es= calation > on their servers via very specific sudo rules. The problem is that the > administrators can do 'sudo su -'. The fact that they became root is > logged, *but everything thereafter they do is not*. What these people > need is something that does the following things - this need not be > sudo based, any FOSS or commercial solution would be considered: >=20 > - Log the fact that someone became effective root >=20 > - Log every command they execute *as* root >=20 > - If they run a script as root, log the individual > actions of that script >=20 > - Have visibility into all this no matter how they access > the system - console, ssh, xterm =85. There's a kernel module floating around the Intarwebs=85 lrexec We used it for some years to satisfy governance regulations. But let me tell you=85 it got so noisy, it was ultimately disabled for sani= ty. But don't let that stop You. =85 Quick search of "lrexec module" yields the following: http://freebsd.munk.me.uk/archives/112-Installed-and-Configured-lrexec-modu= le-For-Logging-System-Calls.html NOTE: Our plan for replacing this functionality in our organization was to = use the praudit fire-hose available in FreeBSD-8.x. It too could be a solut= ion to your problem. --=20 Devin > Nothing I have found so far meets all these criterion. Verbose > syslogging will not catch the case where you start a subshell > from the main shell. Keylogging seems to only have limited > coverage and does not appear it would work if, say, I log in > via ssh and then kick off an xterm. Other solutions > fail if I start an editor and shell out from there. >=20 > The current proposal is to install sudo rules such that NO one > is allowed 'sudo su -' and *every single command* you want > to run as root has to start with 'sudo'. This has two big > drawbacks: >=20 > - It's an enormous pain for the admins and fundamentally changes > their workflow >=20 > - It cannot see into scripts. So I can circumvent it pretty > easily with: >=20 > sudo chown root:wheel my_naughty_script > sudo chmod 700 my_naughty script > sudo ./my_naughty_script >=20 > The sudo log will note that I ran the script, but not what it did. >=20 >=20 > So Gentle Geniuses, is there prior art here that could be applied > to give me full coverage logging of every action taken by any person or > thing running with effective or actual root? >=20 > P.S. I do not believe auditd does this either. >=20 >=20 > --=20 > -------------------------------------------------------------------------= --- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.