From owner-freebsd-questions@FreeBSD.ORG Wed Jul 25 10:44:23 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA89D16A47C for ; Wed, 25 Jul 2007 10:44:23 +0000 (UTC) (envelope-from feargal@fbi.ie) Received: from mail09.svc.cra.dublin.eircom.net (mail09.svc.cra.dublin.eircom.net [159.134.118.25]) by mx1.freebsd.org (Postfix) with SMTP id 1036E13C4B7 for ; Wed, 25 Jul 2007 10:44:22 +0000 (UTC) (envelope-from feargal@fbi.ie) Received: (qmail 33594 messnum 2870976 invoked from network[82.141.233.46/unknown]); 25 Jul 2007 10:44:20 -0000 Received: from unknown (HELO alatar.edhellond.fbi.ie) (82.141.233.46) by mail09.svc.cra.dublin.eircom.net (qp 33594) with SMTP; 25 Jul 2007 10:44:20 -0000 Received: from mablung.edhellond.fbi.ie (mablung.edhellond.fbi.ie [192.168.0.14]) by alatar.edhellond.fbi.ie (8.13.1/8.13.1) with ESMTP id l6PAiKPO062284 for ; Wed, 25 Jul 2007 10:44:20 GMT (envelope-from feargal@fbi.ie) Date: Wed, 25 Jul 2007 11:44:19 +0100 From: Feargal Reilly To: freebsd-questions@freebsd.org Message-ID: <20070725114419.3df83739@mablung.edhellond.fbi.ie> In-Reply-To: <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> References: <050b01c7ce16$960a0570$6400a8c0@msdi.local> <46A63689.80906@voidmain.net> <444pjt3ard.fsf@be-well.ilk.org> <46A652D7.4030001@voidmain.net> <5e49673f0707241241w4c751dbbi4a28590e5b164fc2@mail.gmail.com> <054701c7ce2d$6f42d6d0$6400a8c0@msdi.local> Organization: FBI X-Mailer: Claws Mail 2.10.0 (GTK+ 2.10.13; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Root access loggin X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 10:44:23 -0000 > Exactly, I don't know what needs to be done, and they don't > neither. That's why they need to browse around trying to > figure out why their installer doesn't work. > > Sudo wouldn't be any help here cause I would need to pre > approve commands and I don't know which one will be needed. > > Basically, I don't there there is a better solution then > giving away the root password, but at least, I would like a > log of what has been done. > > Naturally, I understand any log could be overwritten/modified > since the person is root, but since I don't think Zend would > make fun in hacking my server, the point in having the log is > to undo anything I wouldn't approve .. > You may want to have a look at shells/tcsh-bofh - it installs a patched tcsh shell in /usr/local/bin which logs all commands to the USER syslog facility . Set both their user and root's shell to that tcsh (or copy over the system tcsh) and you'll have a log of all their commands, provided they don't run another shell, something you'll just have to instruct them on. Tell them you'll consider it trespassing if they use another shell. As far as protecting logs, securelevels will offer some degree of protection. If you set syslog to log user.* to a seperate file, and then set the sappnd and sunlnk flags, then the file can only be appended to. If you then raise your securelevel to 1, these flags can not be removed. If you're being that paranoid, you'll want to set flags on syslog.conf as well, so the facility can't be changed. I haven't actually tried any of the above, so your mileage will definitely vary. -fr. -- Feargal Reilly, Chief Techie, FBI. PGP Key: 0xBD252C01 (expires: 2006-11-30) Web: http://www.fbi.ie/ | Tel: +353.14988588 | Fax: +353.14988489 Communications House, 11 Sallymount Avenue, Ranelagh, Dublin 6.