From owner-freebsd-questions@FreeBSD.ORG Fri Dec 7 08:30:13 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 61CED120 for ; Fri, 7 Dec 2012 08:30:13 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by mx1.freebsd.org (Postfix) with ESMTP id D5DD68FC16 for ; Fri, 7 Dec 2012 08:30:11 +0000 (UTC) Received: by mail-wi0-f174.google.com with SMTP id hm9so1170024wib.13 for ; Fri, 07 Dec 2012 00:30:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=UMzneiqHSkwuTPU0Q2SOzjSlWYvJTJ3yXkJOsy3bI58=; b=CUF1HO1YFHZyhOtZZUpRJUkPkXbFLWq+wmqZYhpqdjDCejpWWUzdMLxT9pqP1ik3c8 l8Z7OxV6YOxucr+/JdpEhY0Yo1vPzHzG2FSZ2dDY96FdOUuI1agMzkI0q5KlZ6l0/9bg uGsA8bw6GL+JWE5y/FHyZr5tW34Lsphps6NoqMR4tYCMnvTfUMljIWHmq1dBBgS6MISK 3zsGxAusmzC3EbEidjU08KotXO2BS29XvZMCw3ILxlMjpTB3c5qKWa/qw6rbUrIz+bnV 291uw9Wqneyl4Wo7uYbmmt6jYdsA+qnOAkW8N2v/G2VbT/VmBh/6EOyeseBttgQ1FOTK ANyQ== Received: by 10.180.78.161 with SMTP id c1mr7024393wix.4.1354869010011; Fri, 07 Dec 2012 00:30:10 -0800 (PST) Received: from [10.152.103.5] ([92.90.16.27]) by mx.google.com with ESMTPS id hv4sm26237125wib.0.2012.12.07.00.30.08 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 07 Dec 2012 00:30:09 -0800 (PST) References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> <50C0EFA4.3010902@tundraware.com> In-Reply-To: <50C0EFA4.3010902@tundraware.com> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPhone Mail (9A405) From: Damien Fleuriot Subject: Re: Somewhat OT: Is Full Command Logging Possible? Date: Fri, 7 Dec 2012 09:29:27 +0100 To: "tundra@tundraware.com" X-Gm-Message-State: ALoCoQlYrCvq0Ke8fKkvraUZ9bcYNIzcFk9et1Bl5bPuDrzWP2otnAv/nn13Nig5Zp+MYb52uwAM Cc: n j , FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2012 08:30:13 -0000 On 6 Dec 2012, at 20:19, Tim Daneliuk wrote: > On 12/06/2012 12:55 PM, n j wrote: >> On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk wro= te: >>> ... >>> Well ... does auditd provide a record of every command issued within a >>> script? >>> I was under the impression (and I may well be wrong) that it noted only= >>> the name of the script being executed. >>=20 >> Even if you configured auditd to record every command issued within a >> script, you'd still have a problem if a malicious user put the same >> commands inside a binary. >>=20 >> As some people already pointed out, there is practically no way to >> control users once you give them root privileges. >=20 > I understand this. Even the organization in question understands > this. They are not trying to *prevent* any kind of access. All > they're trying to do *log* it. Why? To meet some obscure > compliance requirement they have to adhere to in order to > remain in business. >=20 > > I know all of this is silly but that's our future when you > let Our Fine Government regulate pretty much anything. > >=20 This sounds awfully similar to PCI DSS requirements to me. Nothing to do with .gov then ;)=