Somewhat OT: Is Full Command Logging Possible?
Kurt Buff
kurt.buff at gmail.com
Thu Dec 6 00:35:35 UTC 2012
On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>
>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra at tundraware.com>
>> wrote:
>>>
>>> I am working with an institution that today provides limited privilege
>>> escalation
>>> on their servers via very specific sudo rules. The problem is that the
>>> administrators can do 'sudo su -'.
>>
>> <snip>
>>
>>
>> sudo is misconfigured.
>>
>> man 5 sudoers and man 8 visudo
>>
>>
>>
>> Kurt
>>
>
> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
> saying. Are you suggesting that there is a way to configure
> sudo so that if someone does 'sudo su -' to become an admin,
> sudo can be made to log every command they execute thereafter?
No, I'm saying that sudo should not be configured to allow 'sudo su -'.
Since you say that the users are provided "limited privilege
escalation on their servers via very specific sudo rules", it seems to
me that one of three things is going wrong:
o- Something is wrong with the configuration of sudoers if they can su
to root when they shouldn't be able to do so
o- Someone has misconceived what "limited privilege escalation on
their servers via very specific sudo rules" actually means, and
deliberately has it configured to allows users to su to root
o- The users' accounts are already root equivalent, which, depending
on the version and configuration of sudo, might give them the ability
to sudo to root regardless of the contents of the sudoers file (see,
for instance, the screen in FreeBSD when you perform 'cd
/usr/ports/security/sudo' and then 'make config')
Kurt
More information about the freebsd-questions
mailing list