From owner-freebsd-questions@FreeBSD.ORG  Fri Dec  7 13:55:13 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 899E330F
 for <freebsd-questions@freebsd.org>; Fri,  7 Dec 2012 13:55:13 +0000 (UTC)
 (envelope-from tundra@tundraware.com)
Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73])
 by mx1.freebsd.org (Postfix) with ESMTP id 3FD208FC19
 for <freebsd-questions@freebsd.org>; Fri,  7 Dec 2012 13:55:12 +0000 (UTC)
Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2])
 (authenticated bits=0)
 by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id qB7Dsu6T003895
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Fri, 7 Dec 2012 07:54:58 -0600 (CST)
 (envelope-from tundra@tundraware.com)
Message-ID: <50C1F530.2070708@tundraware.com>
Date: Fri, 07 Dec 2012 07:54:56 -0600
From: Tim Daneliuk <tundra@tundraware.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject: Re: Somewhat OT: Is Full Command Logging Possible?
References: <50BFD674.8000305@tundraware.com>
 <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd>
 <50BFDCFD.4010108@tundraware.com>
 <CALf6cgb0+GXrtTymOPOmjV_C2sk7EaGK=qJOF2z4mB3pQkzV_g@mail.gmail.com>
 <50C0EFA4.3010902@tundraware.com>
 <6A61448BD1FE69ED206EB42E@utd71538.campus.ad.utdallas.edu>
 <04283347-1955-4C49-9ADD-6D2FBB1B0EDC@my.gd>
In-Reply-To: <04283347-1955-4C49-9ADD-6D2FBB1B0EDC@my.gd>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (ozzie.tundraware.com [192.168.0.1]); Fri, 07 Dec 2012 07:54:58 -0600 (CST)
X-TundraWare-MailScanner-Information: Please contact the ISP for more
 information
X-TundraWare-MailScanner-ID: qB7Dsu6T003895
X-TundraWare-MailScanner: Found to be clean
X-TundraWare-MailScanner-From: tundra@tundraware.com
X-Spam-Status: No
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 13:55:13 -0000

On 12/07/2012 03:23 AM, Fleuriot Damien wrote:
> - audit trails cannot be tampered (chflags sappend)

Another way to achieve this is to send the logging output
to a another log collection machine or appliance (think
"Arcsite") to which even the root users under consideration
do not have access.  That is, implement a separation of powers
scheme where no one organization has complete control of
the entire monitoring workflow.


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/