On 12/05/2012 05:42 PM, Damien Fleuriot wrote:
On 6 Dec 2012, at 00:19, Tim Daneliuk <tun...@tundraware.com> wrote:
sudo chown root:wheel my_naughty_script
sudo chmod 700 my_naughty script
sudo ./my_naughty_script
The sudo log will note that I ran the script, but not what it did.
wow, way to complicate matters.
Hey, I didn't dream up this problem :)
sudo csh
So Gentle Geniuses, is there prior art here that could be applied
to give me full coverage logging of every action taken by any person or
thing running with effective or actual root?
P.S. I do not believe
Now would be a good time to start, then.
Well ... does auditd provide a record of every command issued within a script?
I was under the impression (and I may well be wrong) that it noted only
the name of the script being executed.
The only things you need to ensure are:
- auditd cannot be killed off (this is an interesting bit actually, anyone
knows how to do that ?)
- the audit trail files can only be appended to ; man chflags
An alternative would be lshell, however you'll have to whitelist commands
people can execute.
Remember that we want admins to be able to do *anything* but we just want
to log what they do, in fact do.
--
----------------------------------------------------------------------------
Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
