Somewhat OT: Is Full Command Logging Possible?

Thu Dec 6 02:27:04 UTC 2012

--On December 5, 2012 7:01:21 PM -0600 Tim Daneliuk <tundra at tundraware.com> 
wrote:

> On 12/05/2012 06:35 PM, Kurt Buff wrote:
>> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra at tundraware.com>
>> wrote:
>>> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>>>
>>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra at tundraware.com>
>>>> wrote:
>>>>>
>>>>> I am working with an institution that today provides limited privilege
>>>>> escalation
>>>>> on their servers via very specific sudo rules.  The problem is that
>>>>> the administrators can do 'sudo su -'.
>>>>
>>>> <snip>
>>>>
>>>>
>>>> sudo is misconfigured.
>>>>
>>>> man 5 sudoers and man 8 visudo
>>>>
>>>>
>>>>
>>>> Kurt
>>>>
>>>
>>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>>> saying.  Are you suggesting that there is a way to configure
>>> sudo so that if someone does 'sudo su -' to become an admin,
>>> sudo can be made to log every command they execute thereafter?
>>
>> No, I'm saying that sudo should not be configured to allow 'sudo su -'.
>>
>> Since you say that the users are provided "limited privilege
>> escalation on their servers via very specific sudo rules", it seems to
>> me that one of three things is going wrong:
>>
>> o- Something is wrong with the configuration of sudoers if they can su
>> to root when they shouldn't be able to do so
>>
>> o- Someone has misconceived what "limited privilege escalation on
>> their servers via very specific sudo rules" actually means, and
>> deliberately has it configured to allows users to su to root
>>
>> o- The users' accounts are already root equivalent, which, depending
>> on the version and configuration of sudo, might give them the ability
>> to sudo to root regardless of the contents of the sudoers file (see,
>> for instance, the screen in FreeBSD when you perform 'cd
>> /usr/ports/security/sudo' and then 'make config')
>>
>> Kurt
>>
> Oh, OK, I wasn't being clear:
>
> - *Some* users are granted the ability to do sudo su -  These
>    are the sysadmins.
>
> - All other user are given selective ability to run only a few
>    things via sudo.  This varies by department and is controlled
>    through a combination of sudo rules and central LDAP group
>    membership control.  This is necessary because, for example,
>    some DBAs need this when installing a particular client.
>

Install security/sudoscript.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell