Somewhat OT: Is Full Command Logging Possible?

Thu Dec 6 20:51:25 UTC 2012

On Dec 5, 2012, at 3:19 PM, Tim Daneliuk wrote:

> This is a little bit outside the strict boundaries of a FreeBSD question,
> but I am hoping someone in this community has solved this problem and
> that I might be able to adapt it for non-FreeBSD systems (AIX and Linux,
> specifically).
> 
> I am working with an institution that today provides limited privilege escalation
> on their servers via very specific sudo rules.  The problem is that the
> administrators can do 'sudo su -'.  The fact that they became root is
> logged, *but everything thereafter they do is not*.  What these people
> need is something that does the following things - this need not be
> sudo based, any FOSS or commercial solution would be considered:
> 
>  - Log the fact that someone became effective root
> 
>  - Log every command they execute *as* root
> 
>  - If they run a script as root, log the individual
>    actions of that script
> 
>  - Have visibility into all this no matter how they access
>    the system - console, ssh, xterm ….

There's a kernel module floating around the Intarwebs…

lrexec

We used it for some years to satisfy governance regulations.

But let me tell you… it got so noisy, it was ultimately disabled for sanity.

But don't let that stop You.

…

Quick search of "lrexec module" yields the following:
http://freebsd.munk.me.uk/archives/112-Installed-and-Configured-lrexec-module-For-Logging-System-Calls.html

NOTE: Our plan for replacing this functionality in our organization was to use the praudit fire-hose available in FreeBSD-8.x. It too could be a solution to your problem.
-- 
Devin

> Nothing I have found so far meets all these criterion.  Verbose
> syslogging will not catch the case where you start a subshell
> from the main shell.  Keylogging seems to only have limited
> coverage and does not appear it would work if, say, I log in
> via ssh and then kick off an xterm.   Other solutions
> fail if I start an editor and shell out from there.
> 
> The current proposal is to install sudo rules such that NO one
> is allowed 'sudo su -' and *every single command* you want
> to run as root has to start with 'sudo'.  This has two big
> drawbacks:
> 
>  - It's an enormous pain for the admins and fundamentally changes
>    their workflow
> 
>  - It cannot see into scripts.  So I can circumvent it pretty
>    easily with:
> 
>      sudo chown root:wheel my_naughty_script
>      sudo chmod  700 my_naughty script
>      sudo ./my_naughty_script
> 
>   The sudo log will note that I ran the script, but not what it did.
> 
> 
> So Gentle Geniuses, is there prior art here that could be applied
> to give me full coverage logging of every action taken by any person or
> thing running with effective or actual root?
> 
> P.S. I do not believe auditd does this either.
> 
> 
> -- 
> ----------------------------------------------------------------------------
> Tim Daneliuk     tundra at tundraware.com
> PGP Key:         http://www.tundraware.com/PGP/
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.