From owner-freebsd-questions Thu Apr 4 19: 3:50 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mta04.mail.mel.aone.net.au (mta04.mail.au.uu.net [203.2.192.84]) by hub.freebsd.org (Postfix) with ESMTP id D78ED37B41B for ; Thu, 4 Apr 2002 19:03:42 -0800 (PST) Received: from ausyddtp0050.ozemail.com.au ([203.166.67.234]) by mta04.mail.mel.aone.net.au with ESMTP id <20020405030341.GHNT10040.mta04.mail.mel.aone.net.au@ausyddtp0050.ozemail.com.au>; Fri, 5 Apr 2002 13:03:41 +1000 Message-Id: <5.1.0.14.2.20020405123145.01c10620@pop.ozemail.com.au> X-Sender: rbyrnes@pop.ozemail.com.au X-Mailer: I wish it was Linux Date: Fri, 05 Apr 2002 13:03:39 +1000 To: "Galella, Anthony" From: Rob B Subject: RE: verbose logging of root? Cc: "'freebsd-questions@freebsd.org'" In-Reply-To: <59F55CE047A6D51196360002A534A4AC3703E7@pysmsx102.py.intel. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 10:11 4/04/2002 -0500, Galella, Anthony sent this up the stick: >Unfortunately sudo won't help in this situation. >There is a "backup" sysadmin here that has root access in case I am not >available. If he needs root permissions, you assign them to his _own_ userid >He is learning, but I want to be able to track everything he does as root in >order to know exactly what is happening on the system. >Case in point: he chown'd and chmod'd a whole directory structure, causing >loss of access for users. I found the problem, and fixed it, but if I could >track what he did in the logs, I could be aware of these things before users >are (hopefully):) I suppose the only thing that I can see where sudo would not be of use is on a unix desktop machine that has lost sight of the network, and there was local root access needed. Cheers, Rob >-----Original Message----- >From: Rob B [mailto:rbyrnes@ozemail.com.au] >Sent: Wednesday, April 03, 2002 8:51 PM >To: Galella, Anthony >Cc: 'freebsd-questions@freebsd.org' >Subject: Re: verbose logging of root? > > >At 03:06 4/04/2002, Galella, Anthony sent this up the stick: > >This is more of a Un*x question rather than FBSD specific. > > > >Is it possible to do extremely verbose logging of all everything done by > >root for security purposes? > > > > > >We ssh to the server and I can make ssh do verbose logging, but that logs > >every user, I just need to log from the point someone su's to root. > >This is not a *direct* answer to your question, but an alternative >suggestion. > >Rather than letting users su to root, why not use a tool such as sudo >(/usr/ports/admin/sudo)? sudo will log every command, and has an extensive >permissions system in it's conf file. sudo also prevents every user who >needs root permissions from knowing the root password, they simply use >their own password. sudo also logs any unauthorised usage. > >Cheers, >Rob > > >-- >Hey, go buy a plane ticket to another state of mind, okay? > >[15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian >This is random quote 504 of a collection of 1223 > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message -- It was such a lovely day I thought it a pity to get up. [15200.8 km (8207.8 mi), 262.8 deg](Apparent) Rennerian This is random quote 684 of a collection of 1223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message