Date: Wed, 05 Dec 2012 17:19:16 -0600 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Somewhat OT: Is Full Command Logging Possible? Message-ID: <50BFD674.8000305@tundraware.com>
next in thread | raw e-mail | index | archive | help
This is a little bit outside the strict boundaries of a FreeBSD question,
but I am hoping someone in this community has solved this problem and
that I might be able to adapt it for non-FreeBSD systems (AIX and Linux,
specifically).
I am working with an institution that today provides limited privilege escalation
on their servers via very specific sudo rules. The problem is that the
administrators can do 'sudo su -'. The fact that they became root is
logged, *but everything thereafter they do is not*. What these people
need is something that does the following things - this need not be
sudo based, any FOSS or commercial solution would be considered:
- Log the fact that someone became effective root
- Log every command they execute *as* root
- If they run a script as root, log the individual
actions of that script
- Have visibility into all this no matter how they access
the system - console, ssh, xterm ....
Nothing I have found so far meets all these criterion. Verbose
syslogging will not catch the case where you start a subshell
from the main shell. Keylogging seems to only have limited
coverage and does not appear it would work if, say, I log in
via ssh and then kick off an xterm. Other solutions
fail if I start an editor and shell out from there.
The current proposal is to install sudo rules such that NO one
is allowed 'sudo su -' and *every single command* you want
to run as root has to start with 'sudo'. This has two big
drawbacks:
- It's an enormous pain for the admins and fundamentally changes
their workflow
- It cannot see into scripts. So I can circumvent it pretty
easily with:
sudo chown root:wheel my_naughty_script
sudo chmod 700 my_naughty script
sudo ./my_naughty_script
The sudo log will note that I ran the script, but not what it did.
So Gentle Geniuses, is there prior art here that could be applied
to give me full coverage logging of every action taken by any person or
thing running with effective or actual root?
P.S. I do not believe auditd does this either.
--
----------------------------------------------------------------------------
Tim Daneliuk tundra@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50BFD674.8000305>