Somewhat OT: Is Full Command Logging Possible?

Steve O'Hara-Smith ateve at sohara.org
Thu Dec 6 20:10:36 UTC 2012


On Thu, 06 Dec 2012 13:19:00 -0600
Tim Daneliuk <tundra at tundraware.com> wrote:

> On 12/06/2012 12:55 PM, n j wrote:
> > On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk <tundra at tundraware.com>
> > wrote:
> >> ...
> >> Well ... does auditd provide a record of every command issued within a
> >> script?
> >> I was under the impression (and I may well be wrong) that it  noted
> >> only the name of the script being executed.
> >
> > Even if you configured auditd to record every command issued within a
> > script, you'd still have a problem if a malicious user put the same
> > commands inside a binary.
> >
> > As some people already pointed out, there is practically no way to
> > control users once you give them root privileges.
> 
> I understand this.  Even the organization in question understands
> this.  They are not trying to *prevent* any kind of access.  All
> they're trying to do *log* it.  Why?  To meet some obscure
> compliance requirement they have to adhere to in order to
> remain in business.

	It occurs to me to wonder how the users are connecting to the
machine and whether the logging could be achieved at that level using (for
example) a customised sshd that logs all the traffic. It doesn't quite log
what commands get executed but it does log what gets typed and everything
else will follow from that.

-- 
Steve O'Hara-Smith <ateve at sohara.org>


More information about the freebsd-questions mailing list