Date: Tue, 18 Dec 2012 17:33:30 -0800 From: Devin Teske <devin.teske@fisglobal.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Somewhat OT: Is Full Command Logging Possible? Message-ID: <57543CB2-2C92-434A-959B-C1CF5FC01600@fisglobal.com> In-Reply-To: <50D115D9.6090608@tundraware.com> References: <50BFD674.8000305@tundraware.com> <CADy1Ce5CCA4ExOok4DndA4C-MazbegZY1OKztCNqUZHGzLJgTA@mail.gmail.com> <50BFDD51.5000100@tundraware.com> <20689.4087.859208.619511@gromit.timing.com> <50D113C0.3020607@tundraware.com> <50D115D9.6090608@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: > On 12/18/2012 07:09 PM, Tim Daneliuk wrote: >> On 12/18/2012 06:53 PM, John Hein wrote: >>> Tim Daneliuk wrote at 17:48 -0600 on Dec 5, 2012: >>> > On 12/05/2012 05:44 PM, Kurt Buff wrote: >>> > > On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tundra@tundraware.co= m> wrote: >>> > >> I am working with an institution that today provides limited priv= ilege >>> > >> escalation >>> > >> on their servers via very specific sudo rules. The problem is th= at the >>> > >> administrators can do 'sudo su -'. >>> > > <snip> >>> > > >>> > > >>> > > sudo is misconfigured. >>> > > >>> > > man 5 sudoers and man 8 visudo >>> > > >>> > > >>> > > >>> > > Kurt >>> > > >>> > >>> > I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >>> > saying. Are you suggesting that there is a way to configure >>> > sudo so that if someone does 'sudo su -' to become an admin, >>> > sudo can be made to log every command they execute thereafter? >>>=20 >>> See log_input and log_output in sudoers(5) >>=20 >> Thanks so much John, that's the secret sauce I was looking for... >>=20 >>=20 >=20 > One further question, if I may. If I do this: >=20 > sudo su - >=20 > Will log_input record everything I do once I've been promoted to > root? I ask because my initial experiments seem to show that all > that's getting recorded is the content of the sudo command itself, > not the subsequent actions=85 >=20 Correct, sudo is blind to the actions performed once the command requested = is executed (in this case, "su" and subsequently a shell followed by more a= ctions). I've suggested the lrexec module for catching everything, or you can look i= nto the auditdistd (distributed auditing collection/collation to a remote/c= entral server) approach, the praudit approach, or any of the other pieces o= f software mentions. --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57543CB2-2C92-434A-959B-C1CF5FC01600>