Somewhat OT: Is Full Command Logging Possible?
Tim Daneliuk
tundra at tundraware.com
Wed Dec 5 23:47:22 UTC 2012
On 12/05/2012 05:42 PM, Damien Fleuriot wrote:
>
>
> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra at tundraware.com> wrote:
>
>> sudo chown root:wheel my_naughty_script
>> sudo chmod 700 my_naughty script
>> sudo ./my_naughty_script
>>
>> The sudo log will note that I ran the script, but not what it did.
>>
>>
>
> wow, way to complicate matters.
Hey, I didn't dream up this problem :)
>
> sudo csh
>
>
>
>> So Gentle Geniuses, is there prior art here that could be applied
>> to give me full coverage logging of every action taken by any person or
>> thing running with effective or actual root?
>>
>> P.S. I do not believe
>
> Now would be a good time to start, then.
Well ... does auditd provide a record of every command issued within a script?
I was under the impression (and I may well be wrong) that it noted only
the name of the script being executed.
>
> The only things you need to ensure are:
> - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?)
> - the audit trail files can only be appended to ; man chflags
>
>
> An alternative would be lshell, however you'll have to whitelist commands people can execute.
>
>
Remember that we want admins to be able to do *anything* but we just want
to log what they do, in fact do.
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-questions
mailing list