Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Dec 2012 11:38:30 +0100
From:      Damien Fleuriot <ml@my.gd>
To:        Devin Teske <dteske@freebsd.org>
Cc:        Paul Schmehl <pschmehl_lists@tx.rr.com>, "<tundra@tundraware.com>" <tundra@tundraware.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org>, n j <nino80@gmail.com>
Subject:   Re: Somewhat OT: Is Full Command Logging Possible?
Message-ID:  <D6885CD2-4FAC-48EB-B7A9-76AF4DE8EE9F@my.gd>
In-Reply-To: <8E7AE88A-5241-42CC-807F-FA42162EE83E@fisglobal.com>
References:  <50BFD674.8000305@tundraware.com> <8BFA2629-45CA-491B-9BA8-E8AC78A4D66E@my.gd> <50BFDCFD.4010108@tundraware.com> <CALf6cgb0%2BGXrtTymOPOmjV_C2sk7EaGK=qJOF2z4mB3pQkzV_g@mail.gmail.com> <50C0EFA4.3010902@tundraware.com> <6A61448BD1FE69ED206EB42E@utd71538.campus.ad.utdallas.edu> <04283347-1955-4C49-9ADD-6D2FBB1B0EDC@my.gd> <FF701E50933D18DB396E2B33@Pauls-MacBook-Pro.local> <8E7AE88A-5241-42CC-807F-FA42162EE83E@fisglobal.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On 8 Dec 2012, at 03:13, Devin Teske <devin.teske@fisglobal.com> wrote:

>=20
> On Dec 7, 2012, at 5:22 PM, Paul Schmehl wrote:
>=20
>> --On December 7, 2012 10:23:56 AM +0100 Fleuriot Damien <ml@my.gd> wrote:=

>>=20
>>>=20
>>> On Dec 6, 2012, at 9:20 PM, Paul Schmehl <pschmehl_lists@tx.rr.com> wrot=
e:
>>>=20
>>>> --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk
>>>> <tundra@tundraware.com> wrote:
>>>>>=20
>>>>> I understand this.  Even the organization in question understands
>>>>> this.  They are not trying to *prevent* any kind of access.  All
>>>>> they're trying to do *log* it.  Why?  To meet some obscure
>>>>> compliance requirement they have to adhere to in order to
>>>>> remain in business.
>>>>>=20
>>>>> <rant>
>>>>> I know all of this is silly but that's our future when you
>>>>> let Our Fine Government regulate pretty much anything.
>>>>> </rant>
>>>>>=20
>>>>=20
>>>> I sent this last night, but for some reason it never showed up.
>>>>=20
>>>> /usr/ports/security/sudoscript
>>>>=20
>>>> I believe this will meet your requirements.
>>>=20
>>>=20
>>> I'm sorry to say it won't.
>>> Nothing will prevent a user from removing sudoscript's FIFO once he gets=

>>> root privileges.
>>>=20
>>=20
>> Well, sure, but, if someone logs in and sudos to root, that will be logge=
d by sudoscript.  If the logging then ceases, that would be cause for discip=
linary action up to and including dismissal.
>>=20
>=20
> What about the case of:
>=20
> sudo vim
>=20
> or
>=20
> sudo vim file
>=20
> Surely that wouldn't raise an eyebrow, but=E2=80=A6
>=20
> Then execute within vim:
>=20
> :sh
>=20
> or
>=20
> ^_^
> --=20
> Devin
>=20
> =E2=80=A6 and another gem =E2=80=A6
>=20
> sr env HOME=3D$HOME vim
>=20
> then
>=20
> :E
>=20

My point exactly, such levels of protection can't be reached on our day to d=
ay OSes.

The only thing that can be done is trying to approach the expected level of s=
crutiny and security.

The audit framework is a viable solution IMO, as long as it has limited prot=
ection against kills (restart it, send a SMS alert...)=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D6885CD2-4FAC-48EB-B7A9-76AF4DE8EE9F>