Date: Thu, 6 Dec 2012 12:44:03 -0800 From: Devin Teske <devin.teske@fisglobal.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <66A35C1E-351C-477E-8655-F46264006BDA@fisglobal.com> In-Reply-To: <50BFD674.8000305@tundraware.com> References: <50BFD674.8000305@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 5, 2012, at 3:19 PM, Tim Daneliuk wrote: > This is a little bit outside the strict boundaries of a FreeBSD question, > but I am hoping someone in this community has solved this problem and > that I might be able to adapt it for non-FreeBSD systems (AIX and Linux, > specifically). >=20 > I am working with an institution that today provides limited privilege es= calation > on their servers via very specific sudo rules. The problem is that the > administrators can do 'sudo su -'. The fact that they became root is > logged, *but everything thereafter they do is not*. What these people > need is something that does the following things - this need not be > sudo based, any FOSS or commercial solution would be considered: >=20 > - Log the fact that someone became effective root >=20 > - Log every command they execute *as* root >=20 > - If they run a script as root, log the individual > actions of that script >=20 > - Have visibility into all this no matter how they access > the system - console, ssh, xterm =85. There's a kernel module floating around the Intarwebs=85 lrexec We used it for some years to satisfy governance regulations. But let me tell you=85 it got so noisy, it was ultimately disabled for sani= ty. But don't let that stop You. =85 Quick search of "lrexec module" yields the following: http://freebsd.munk.me.uk/archives/112-Installed-and-Configured-lrexec-modu= le-For-Logging-System-Calls.html NOTE: Our plan for replacing this functionality in our organization was to = use the praudit fire-hose available in FreeBSD-8.x. It too could be a solut= ion to your problem. --=20 Devin > Nothing I have found so far meets all these criterion. Verbose > syslogging will not catch the case where you start a subshell > from the main shell. Keylogging seems to only have limited > coverage and does not appear it would work if, say, I log in > via ssh and then kick off an xterm. Other solutions > fail if I start an editor and shell out from there. >=20 > The current proposal is to install sudo rules such that NO one > is allowed 'sudo su -' and *every single command* you want > to run as root has to start with 'sudo'. This has two big > drawbacks: >=20 > - It's an enormous pain for the admins and fundamentally changes > their workflow >=20 > - It cannot see into scripts. So I can circumvent it pretty > easily with: >=20 > sudo chown root:wheel my_naughty_script > sudo chmod 700 my_naughty script > sudo ./my_naughty_script >=20 > The sudo log will note that I ran the script, but not what it did. >=20 >=20 > So Gentle Geniuses, is there prior art here that could be applied > to give me full coverage logging of every action taken by any person or > thing running with effective or actual root? >=20 > P.S. I do not believe auditd does this either. >=20 >=20 > --=20 > -------------------------------------------------------------------------= --- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?66A35C1E-351C-477E-8655-F46264006BDA>