Somewhat OT: Is Full Command Logging Possible?
Fleuriot Damien
ml at my.gd
Thu Dec 6 09:22:23 UTC 2012
On Dec 6, 2012, at 12:47 AM, Tim Daneliuk <tundra at tundraware.com> wrote:
> On 12/05/2012 05:42 PM, Damien Fleuriot wrote:
>>
>>
>> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra at tundraware.com> wrote:
>>
>>> sudo chown root:wheel my_naughty_script
>>> sudo chmod 700 my_naughty script
>>> sudo ./my_naughty_script
>>>
>>> The sudo log will note that I ran the script, but not what it did.
>>>
>>>
>>
>> wow, way to complicate matters.
>
> Hey, I didn't dream up this problem :)
>
>>
>> sudo csh
>>
>>
>>
>>> So Gentle Geniuses, is there prior art here that could be applied
>>> to give me full coverage logging of every action taken by any person or
>>> thing running with effective or actual root?
>>>
>>> P.S. I do not believe
>>
>> Now would be a good time to start, then.
>
>
> Well ... does auditd provide a record of every command issued within a script?
> I was under the impression (and I may well be wrong) that it noted only
> the name of the script being executed.
>
While it won't log every single command invoked from inside a script, it *can* log every single file access that's made.
Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that.
The Audit framework is your next best bet IMHO.
>>
>> The only things you need to ensure are:
>> - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?)
>> - the audit trail files can only be appended to ; man chflags
>>
>>
>> An alternative would be lshell, however you'll have to whitelist commands people can execute.
>>
>>
>
> Remember that we want admins to be able to do *anything* but we just want
> to log what they do, in fact do.
>
> --
> ----------------------------------------------------------------------------
> Tim Daneliuk tundra at tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list