Somewhat OT: Is Full Command Logging Possible?

Fleuriot Damien ml at my.gd
Thu Dec 6 09:22:23 UTC 2012


On Dec 6, 2012, at 12:47 AM, Tim Daneliuk <tundra at tundraware.com> wrote:

> On 12/05/2012 05:42 PM, Damien Fleuriot wrote:
>> 
>> 
>> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra at tundraware.com> wrote:
>> 
>>>      sudo chown root:wheel my_naughty_script
>>>      sudo chmod  700 my_naughty script
>>>      sudo ./my_naughty_script
>>> 
>>>   The sudo log will note that I ran the script, but not what it did.
>>> 
>>> 
>> 
>> wow, way to complicate matters.
> 
> Hey, I didn't dream up this problem :)
> 
>> 
>> sudo csh
>> 
>> 
>> 
>>> So Gentle Geniuses, is there prior art here that could be applied
>>> to give me full coverage logging of every action taken by any person or
>>> thing running with effective or actual root?
>>> 
>>> P.S. I do not believe
>> 
>> Now would be a good time to start, then.
> 
> 
> Well ... does auditd provide a record of every command issued within a script?
> I was under the impression (and I may well be wrong) that it  noted only
> the name of the script being executed.
> 

While it won't log every single command invoked from inside a script, it *can* log every single file access that's made.

Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that.

The Audit framework is your next best bet IMHO.


>> 
>> The only things you need to ensure are:
>> - auditd cannot be killed off (this is an interesting bit actually, anyone knows how to do that ?)
>> - the audit trail files can only be appended to ; man chflags
>> 
>> 
>> An alternative would be lshell, however you'll have to whitelist commands people can execute.
>> 
>> 
> 
> Remember that we want admins to be able to do *anything* but we just want
> to log what they do, in fact do.
> 
> -- 
> ----------------------------------------------------------------------------
> Tim Daneliuk     tundra at tundraware.com
> PGP Key:         http://www.tundraware.com/PGP/
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"



More information about the freebsd-questions mailing list