On Wed, Dec 5, 2012 at 5:42 PM, Damien Fleuriot <[email protected]> wrote: > > > On 6 Dec 2012, at 00:19, Tim Daneliuk <[email protected]> wrote: > > > sudo chown root:wheel my_naughty_script > > sudo chmod 700 my_naughty script > > sudo ./my_naughty_script > > > > The sudo log will note that I ran the script, but not what it did. > > > > > > wow, way to complicate matters. > > sudo csh > > > > > So Gentle Geniuses, is there prior art here that could be applied > > to give me full coverage logging of every action taken by any person or > > thing running with effective or actual root? > > > > P.S. I do not believe > > Now would be a good time to start, then. > > The only things you need to ensure are: > - auditd cannot be killed off (this is an interesting bit actually, anyone > knows how to do that ?) >
Can't be done really for an id 0 account. Not without extensive customization anyway. However the Audit Distribution Daemon was recently committed so audit logs could potentially be stored in different location easily. > - the audit trail files can only be appended to ; man chflags Audit Distribution Daemon would alleviate this as well. -- Adam Vande More _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
