Somewhat OT: Is Full Command Logging Possible?
Fleuriot Damien
ml at my.gd
Thu Dec 6 09:26:17 UTC 2012
On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.buff at gmail.com> wrote:
> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
>> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>>
>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra at tundraware.com>
>>> wrote:
>>>>
>>>> I am working with an institution that today provides limited privilege
>>>> escalation
>>>> on their servers via very specific sudo rules. The problem is that the
>>>> administrators can do 'sudo su -'.
>>>
>>> <snip>
>>>
>>>
>>> sudo is misconfigured.
>>>
>>> man 5 sudoers and man 8 visudo
>>>
>>>
>>>
>>> Kurt
>>>
>>
>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>> saying. Are you suggesting that there is a way to configure
>> sudo so that if someone does 'sudo su -' to become an admin,
>> sudo can be made to log every command they execute thereafter?
>
> No, I'm saying that sudo should not be configured to allow 'sudo su -'.
This is an ineffective solution.
So what, you're going to forbid "sudo su -"
Fine, I'll just run "sudo csh" .
If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" .
Basically, anything short of actually whitelisting what people can run won't do.
And apparently that's not in Tim's list of desirable things ;)
More information about the freebsd-questions
mailing list