Somewhat OT: Is Full Command Logging Possible?

[Damien Fleuriot]

On 8 Dec 2012, at 03:13, Devin Teske <devin.teske at fisglobal.com> wrote:

> 
> On Dec 7, 2012, at 5:22 PM, Paul Schmehl wrote:
> 
>> --On December 7, 2012 10:23:56 AM +0100 Fleuriot Damien <ml at my.gd> wrote:
>> 
>>> 
>>> On Dec 6, 2012, at 9:20 PM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:
>>> 
>>>> --On December 6, 2012 1:19:00 PM -0600 Tim Daneliuk
>>>> <tundra at tundraware.com> wrote:
>>>>> 
>>>>> I understand this.  Even the organization in question understands
>>>>> this.  They are not trying to *prevent* any kind of access.  All
>>>>> they're trying to do *log* it.  Why?  To meet some obscure
>>>>> compliance requirement they have to adhere to in order to
>>>>> remain in business.
>>>>> 
>>>>> <rant>
>>>>> I know all of this is silly but that's our future when you
>>>>> let Our Fine Government regulate pretty much anything.
>>>>> </rant>
>>>>> 
>>>> 
>>>> I sent this last night, but for some reason it never showed up.
>>>> 
>>>> /usr/ports/security/sudoscript
>>>> 
>>>> I believe this will meet your requirements.
>>> 
>>> 
>>> I'm sorry to say it won't.
>>> Nothing will prevent a user from removing sudoscript's FIFO once he gets
>>> root privileges.
>>> 
>> 
>> Well, sure, but, if someone logs in and sudos to root, that will be logged by sudoscript.  If the logging then ceases, that would be cause for disciplinary action up to and including dismissal.
>> 
> 
> What about the case of:
> 
> sudo vim
> 
> or
> 
> sudo vim file
> 
> Surely that wouldn't raise an eyebrow, but…
> 
> Then execute within vim:
> 
> :sh
> 
> or
> 
> ^_^
> -- 
> Devin
> 
> … and another gem …
> 
> sr env HOME=$HOME vim
> 
> then
> 
> :E
> 

My point exactly, such levels of protection can't be reached on our day to day OSes.

The only thing that can be done is trying to approach the expected level of scrutiny and security.

The audit framework is a viable solution IMO, as long as it has limited protection against kills (restart it, send a SMS alert...)