Somewhat OT: Is Full Command Logging Possible?

Devin Teske devin.teske at fisglobal.com
Wed Dec 19 01:33:44 UTC 2012 

On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote:

> On 12/18/2012 07:09 PM, Tim Daneliuk wrote:
>> On 12/18/2012 06:53 PM, John Hein wrote:
>>> Tim Daneliuk wrote at 17:48 -0600 on Dec  5, 2012:
>>>  > On 12/05/2012 05:44 PM, Kurt Buff wrote:
>>>  > > On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
>>>  > >> I am working with an institution that today provides limited privilege
>>>  > >> escalation
>>>  > >> on their servers via very specific sudo rules.  The problem is that the
>>>  > >> administrators can do 'sudo su -'.
>>>  > > <snip>
>>>  > >
>>>  > >
>>>  > > sudo is misconfigured.
>>>  > >
>>>  > > man 5 sudoers and man 8 visudo
>>>  > >
>>>  > >
>>>  > >
>>>  > > Kurt
>>>  > >
>>>  >
>>>  > I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
>>>  > saying.  Are you suggesting that there is a way to configure
>>>  > sudo so that if someone does 'sudo su -' to become an admin,
>>>  > sudo can be made to log every command they execute thereafter?
>>> 
>>> See log_input and log_output in sudoers(5)
>> 
>> Thanks so much John, that's the secret sauce I was looking for...
>> 
>> 
> 
> One further question, if I may.  If I do this:
> 
>   sudo su -
> 
> Will log_input record everything I do once I've been promoted to
> root?  I ask because my initial experiments seem to show that all
> that's getting recorded is the content of the sudo command itself,
> not the subsequent actions…
> 

Correct, sudo is blind to the actions performed once the command requested is executed (in this case, "su" and subsequently a shell followed by more actions).

I've suggested the lrexec module for catching everything, or you can look into the auditdistd (distributed auditing collection/collation to a remote/central server) approach, the praudit approach, or any of the other pieces of software mentions.
-- 
Devin

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

More information about the freebsd-questions mailing list