From owner-freebsd-questions@FreeBSD.ORG Sat Dec 8 02:13:08 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 50F2C78D for ; Sat, 8 Dec 2012 02:13:08 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0CB808FC0C for ; Sat, 8 Dec 2012 02:13:07 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.15]) by ltcfislmsgpa07.fnfis.com (8.14.5/8.14.5) with ESMTP id qB82D68x015530 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 7 Dec 2012 20:13:06 -0600 Received: from [10.0.0.102] (10.14.152.61) by smtp.fisglobal.com (10.132.206.15) with Microsoft SMTP Server (TLS) id 14.2.309.2; Fri, 7 Dec 2012 20:13:06 -0600 Subject: Re: Somewhat OT: Is Full Command Logging Possible? MIME-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset="windows-1252" From: Devin Teske In-Reply-To: Date: Fri, 7 Dec 2012 18:13:04 -0800 Content-Transfer-Encoding: quoted-printable Message-ID: <8E7AE88A-5241-42CC-807F-FA42162EE83E@fisglobal.com> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> <50C0EFA4.3010902@tundraware.com> <6A61448BD1FE69ED206EB42E@utd71538.campus.ad.utdallas.edu> <04283347-1955-4C49-9ADD-6D2FBB1B0EDC@my.gd> To: Paul Schmehl X-Mailer: Apple Mail (2.1283) X-Originating-IP: [10.14.152.61] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8185, 1.0.431, 0.0.0000 definitions=2012-12-07_04:2012-12-07,2012-12-07,1970-01-01 signatures=0 Cc: n j , Fleuriot Damien , tundra@tundraware.com, FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Dec 2012 02:13:08 -0000 On Dec 7, 2012, at 5:22 PM, Paul Schmehl wrote: > --On December 7, 2012 10:23:56 AM +0100 Fleuriot Damien wrote: >=20 >>=20 >> On Dec 6, 2012, at 9:20 PM, Paul Schmehl wrot= e: >>=20 >>> --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk >>> wrote: >>>>=20 >>>> I understand this. Even the organization in question understands >>>> this. They are not trying to *prevent* any kind of access. All >>>> they're trying to do *log* it. Why? To meet some obscure >>>> compliance requirement they have to adhere to in order to >>>> remain in business. >>>>=20 >>>> >>>> I know all of this is silly but that's our future when you >>>> let Our Fine Government regulate pretty much anything. >>>> >>>>=20 >>>=20 >>> I sent this last night, but for some reason it never showed up. >>>=20 >>> /usr/ports/security/sudoscript >>>=20 >>> I believe this will meet your requirements. >>=20 >>=20 >> I'm sorry to say it won't. >> Nothing will prevent a user from removing sudoscript's FIFO once he gets >> root privileges. >>=20 >=20 > Well, sure, but, if someone logs in and sudos to root, that will be logge= d by sudoscript. If the logging then ceases, that would be cause for disci= plinary action up to and including dismissal. >=20 What about the case of: sudo vim or sudo vim file Surely that wouldn't raise an eyebrow, but=85 Then execute within vim: :sh or ^_^ --=20 Devin =85 and another gem =85 sr env HOME=3D$HOME vim then :E _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.