Date: Sat, 8 Dec 2012 11:38:30 +0100 From: Damien Fleuriot <ml@my.gd> To: Devin Teske <dteske@freebsd.org> Cc: Paul Schmehl <pschmehl_lists@tx.rr.com>, "<tundra@tundraware.com>" <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org>, n j <nino80@gmail.com> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <D6885CD2-4FAC-48EB-B7A9-76AF4DE8EE9F@my.gd> In-Reply-To: <8E7AE88A-5241-42CC-807F-FA42162EE83E@fisglobal.com> References: <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> <CALf6cgb0%2BGXrtTymOPOmjV_C2sk7EaGK=qJOF2z4mB3pQkzV_g@mail.gmail.com> <50C0EFA4.3010902@tundraware.com> <6A61448BD1FE69ED206EB42E@utd71538.campus.ad.utdallas.edu> <04283347-1955-4C49-9ADD-6D2FBB1B0EDC@my.gd> <FF701E50933D18DB396E2B33@Pauls-MacBook-Pro.local> <8E7AE88A-5241-42CC-807F-FA42162EE83E@fisglobal.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8 Dec 2012, at 03:13, Devin Teske <devin.teske@fisglobal.com> wrote: >=20 > On Dec 7, 2012, at 5:22 PM, Paul Schmehl wrote: >=20 >> --On December 7, 2012 10:23:56 AM +0100 Fleuriot Damien <ml@my.gd> wrote:= >>=20 >>>=20 >>> On Dec 6, 2012, at 9:20 PM, Paul Schmehl <pschmehl_lists@tx.rr.com> wrot= e: >>>=20 >>>> --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk >>>> <tundra@tundraware.com> wrote: >>>>>=20 >>>>> I understand this. Even the organization in question understands >>>>> this. They are not trying to *prevent* any kind of access. All >>>>> they're trying to do *log* it. Why? To meet some obscure >>>>> compliance requirement they have to adhere to in order to >>>>> remain in business. >>>>>=20 >>>>> <rant> >>>>> I know all of this is silly but that's our future when you >>>>> let Our Fine Government regulate pretty much anything. >>>>> </rant> >>>>>=20 >>>>=20 >>>> I sent this last night, but for some reason it never showed up. >>>>=20 >>>> /usr/ports/security/sudoscript >>>>=20 >>>> I believe this will meet your requirements. >>>=20 >>>=20 >>> I'm sorry to say it won't. >>> Nothing will prevent a user from removing sudoscript's FIFO once he gets= >>> root privileges. >>>=20 >>=20 >> Well, sure, but, if someone logs in and sudos to root, that will be logge= d by sudoscript. If the logging then ceases, that would be cause for discip= linary action up to and including dismissal. >>=20 >=20 > What about the case of: >=20 > sudo vim >=20 > or >=20 > sudo vim file >=20 > Surely that wouldn't raise an eyebrow, but=E2=80=A6 >=20 > Then execute within vim: >=20 > :sh >=20 > or >=20 > ^_^ > --=20 > Devin >=20 > =E2=80=A6 and another gem =E2=80=A6 >=20 > sr env HOME=3D$HOME vim >=20 > then >=20 > :E >=20 My point exactly, such levels of protection can't be reached on our day to d= ay OSes. The only thing that can be done is trying to approach the expected level of s= crutiny and security. The audit framework is a viable solution IMO, as long as it has limited prot= ection against kills (restart it, send a SMS alert...)=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D6885CD2-4FAC-48EB-B7A9-76AF4DE8EE9F>