From owner-freebsd-questions@FreeBSD.ORG Fri Dec 7 09:24:09 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E0B16149 for ; Fri, 7 Dec 2012 09:24:09 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 633748FC08 for ; Fri, 7 Dec 2012 09:24:08 +0000 (UTC) Received: by mail-we0-f182.google.com with SMTP id u54so138294wey.13 for ; Fri, 07 Dec 2012 01:24:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=+RWScnCuOhp34wq6ZPrxIXHnkZ6K5pawfv1T9CWX1YQ=; b=Rfwadifi+QDXQcNnZzCfBFwFN6ZcjIbtbM7kVuEZsZq5YuAuwvY4bNpp3mjU5q8+UU kl7YUvQQWbjfn86Yh/JqX1t8UFHORKlo0aMZGySGBV9oF0dZbHIfZAr4RxTr24jj1g0j eCv5kkMc88Kya7ZEPa3EmdL5GzHrewU99uvX4lj1sPJe/O1BFe7wuwzZI/Y95+RBQ7t7 8W6gv8yUYyOTuKI7K+Wh8hAfuAfsUGK1MPrZf0cWZwruRq3Y1iBGPGlL6ctPXy43fnzq n74pWvlWSLD8q5N1ixkJ61dYpGxKpmy9DR2Jo8Ln/sVe0jzQNVp/79CM9uhBVobaXHL+ Uqqw== Received: by 10.180.20.109 with SMTP id m13mr13660877wie.16.1354872248224; Fri, 07 Dec 2012 01:24:08 -0800 (PST) Received: from [10.75.0.66] ([83.167.62.196]) by mx.google.com with ESMTPS id gz3sm26415066wib.2.2012.12.07.01.23.56 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 07 Dec 2012 01:24:07 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Somewhat OT: Is Full Command Logging Possible? From: Fleuriot Damien In-Reply-To: <6A61448BD1FE69ED206EB42E@utd71538.campus.ad.utdallas.edu> Date: Fri, 7 Dec 2012 10:23:56 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <04283347-1955-4C49-9ADD-6D2FBB1B0EDC@my.gd> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> <50C0EFA4.3010902@tundraware.com> <6A61448BD1FE69ED206EB42E@utd71538.campus.ad.utdallas.edu> To: Paul Schmehl X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQld+SWnUHICvELN5/TticQw2uCJUAG3HtQKc/bwGmvdi0HBLhGRng+6D1WhikyAYKFygn+x Cc: n j , tundra@tundraware.com, FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2012 09:24:09 -0000 On Dec 6, 2012, at 9:20 PM, Paul Schmehl = wrote: > --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk = wrote: >>=20 >> I understand this. Even the organization in question understands >> this. They are not trying to *prevent* any kind of access. All >> they're trying to do *log* it. Why? To meet some obscure >> compliance requirement they have to adhere to in order to >> remain in business. >>=20 >> >> I know all of this is silly but that's our future when you >> let Our Fine Government regulate pretty much anything. >> >>=20 >=20 > I sent this last night, but for some reason it never showed up. >=20 > /usr/ports/security/sudoscript >=20 > I believe this will meet your requirements. I'm sorry to say it won't. Nothing will prevent a user from removing sudoscript's FIFO once he gets = root privileges. Basically, what Tim wants to do sounds very akin to the PCI DSS = requirements that every user's action be logged. The bad news is _this is not achievable on MS/nux/bsd_ systems. The kind of logging and security required can only be attained on = mainframes (read: i/Series , z/Series) using RACF and other absolutely = awesome features. The only thing Tim can do is try to approach the level of security = that's required. Devin's suggestion of a kernel module is what comes closest to achieving = the goal, provided that: - the functionnality is compiled in-kernel to prevent kldunload'ing the = module - the system runs at a secure level high enough to prevent kldunloads , = if it can't be compiled in-kernel - the functions used by the module cannot be overriden by another module = (for example redeclare this module's sendlog() function with another = dummy module, making sendlog() basically do a NOOP) Another contestant that comes a close second is the use of the AUDIT = framework, however one would need to ensure: - audit trails cannot be tampered (chflags sappend) - the audit daemon cannot be killed