Somewhat OT: Is Full Command Logging Possible?
Adam Vande More
amvandemore at gmail.com
Thu Dec 6 01:02:34 UTC 2012
On Wed, Dec 5, 2012 at 5:42 PM, Damien Fleuriot <ml at my.gd> wrote:
>
>
> On 6 Dec 2012, at 00:19, Tim Daneliuk <tundra at tundraware.com> wrote:
>
> > sudo chown root:wheel my_naughty_script
> > sudo chmod 700 my_naughty script
> > sudo ./my_naughty_script
> >
> > The sudo log will note that I ran the script, but not what it did.
> >
> >
>
> wow, way to complicate matters.
>
> sudo csh
>
>
>
> > So Gentle Geniuses, is there prior art here that could be applied
> > to give me full coverage logging of every action taken by any person or
> > thing running with effective or actual root?
> >
> > P.S. I do not believe
>
> Now would be a good time to start, then.
>
> The only things you need to ensure are:
> - auditd cannot be killed off (this is an interesting bit actually, anyone
> knows how to do that ?)
>
Can't be done really for an id 0 account. Not without extensive
customization anyway. However the Audit Distribution Daemon was
recently committed so audit logs could potentially be stored in different
location easily.
> - the audit trail files can only be appended to ; man chflags
Audit Distribution Daemon would alleviate this as well.
--
Adam Vande More
More information about the freebsd-questions
mailing list