On Dec 6, 2012, at 12:47 AM, Tim Daneliuk <tun...@tundraware.com> wrote:
> On 12/05/2012 05:42 PM, Damien Fleuriot wrote: >> >> >> On 6 Dec 2012, at 00:19, Tim Daneliuk <tun...@tundraware.com> wrote: >> >>> sudo chown root:wheel my_naughty_script >>> sudo chmod 700 my_naughty script >>> sudo ./my_naughty_script >>> >>> The sudo log will note that I ran the script, but not what it did. >>> >>> >> >> wow, way to complicate matters. > > Hey, I didn't dream up this problem :) > >> >> sudo csh >> >> >> >>> So Gentle Geniuses, is there prior art here that could be applied >>> to give me full coverage logging of every action taken by any person or >>> thing running with effective or actual root? >>> >>> P.S. I do not believe >> >> Now would be a good time to start, then. > > > Well ... does auditd provide a record of every command issued within a script? > I was under the impression (and I may well be wrong) that it noted only > the name of the script being executed. > While it won't log every single command invoked from inside a script, it *can* log every single file access that's made. Apart from IBM z/Series and i/Series mainframes, there is no hardware/software combination that I am aware of which will do that. The Audit framework is your next best bet IMHO. >> >> The only things you need to ensure are: >> - auditd cannot be killed off (this is an interesting bit actually, anyone >> knows how to do that ?) >> - the audit trail files can only be appended to ; man chflags >> >> >> An alternative would be lshell, however you'll have to whitelist commands >> people can execute. >> >> > > Remember that we want admins to be able to do *anything* but we just want > to log what they do, in fact do. > > -- > ---------------------------------------------------------------------------- > Tim Daneliuk tun...@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
