Fwd: Somewhat OT: Is Full Command Logging Possible?
Kurt Buff
kurt.buff at gmail.com
Thu Dec 6 19:54:29 UTC 2012
Sorry, forgot to replay all...
Kurt
---------- Forwarded message ----------
From: Kurt Buff <kurt.buff at gmail.com>
Date: Thu, Dec 6, 2012 at 11:53 AM
Subject: Re: Somewhat OT: Is Full Command Logging Possible?
To: Fleuriot Damien <ml at my.gd>
On Thu, Dec 6, 2012 at 1:26 AM, Fleuriot Damien <ml at my.gd> wrote:
>
> On Dec 6, 2012, at 1:35 AM, Kurt Buff <kurt.buff at gmail.com> wrote:
>
>> On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
>>> On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>>>
>>>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra at tundraware.com>
>>>> wrote:
>>>>>
>>>>> I am working with an institution that today provides limited privilege
>>>>> escalation
>>>>> on their servers via very specific sudo rules. The problem is that the
>>>>> administrators can do 'sudo su -'.
>>>>
>>>> <snip>
>>>>
>>>>
>>>> sudo is misconfigured.
>>>>
>>>> man 5 sudoers and man 8 visudo
>>>>
>>>>
>>>>
>>>> Kurt
>>>>
>>>
>>> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>>> saying. Are you suggesting that there is a way to configure
>>> sudo so that if someone does 'sudo su -' to become an admin,
>>> sudo can be made to log every command they execute thereafter?
>>
>> No, I'm saying that sudo should not be configured to allow 'sudo su -'.
>
>
> This is an ineffective solution.
>
> So what, you're going to forbid "sudo su -"
>
> Fine, I'll just run "sudo csh" .
>
> If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" .
>
>
>
> Basically, anything short of actually whitelisting what people can run won't do.
>
> And apparently that's not in Tim's list of desirable things ;)
Whitelisting commands is exactly what the sudoers file is for. If he
wants to do otherwise, then he's using the wrong tool.
Kurt
More information about the freebsd-questions
mailing list