Somewhat OT: Is Full Command Logging Possible?
Damien Fleuriot
ml at my.gd
Fri Dec 7 08:30:13 UTC 2012
On 6 Dec 2012, at 20:19, Tim Daneliuk <tundra at tundraware.com> wrote:
> On 12/06/2012 12:55 PM, n j wrote:
>> On Thu, Dec 6, 2012 at 12:47 AM, Tim Daneliuk <tundra at tundraware.com> wrote:
>>> ...
>>> Well ... does auditd provide a record of every command issued within a
>>> script?
>>> I was under the impression (and I may well be wrong) that it noted only
>>> the name of the script being executed.
>>
>> Even if you configured auditd to record every command issued within a
>> script, you'd still have a problem if a malicious user put the same
>> commands inside a binary.
>>
>> As some people already pointed out, there is practically no way to
>> control users once you give them root privileges.
>
> I understand this. Even the organization in question understands
> this. They are not trying to *prevent* any kind of access. All
> they're trying to do *log* it. Why? To meet some obscure
> compliance requirement they have to adhere to in order to
> remain in business.
>
> <rant>
> I know all of this is silly but that's our future when you
> let Our Fine Government regulate pretty much anything.
> </rant>
>
This sounds awfully similar to PCI DSS requirements to me.
Nothing to do with .gov then ;)
More information about the freebsd-questions
mailing list