On 12/18/2012 06:53 PM, John Hein wrote:
Tim Daneliuk wrote at 17:48 -0600 on Dec 5, 2012:
> On 12/05/2012 05:44 PM, Kurt Buff wrote:
> > On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <tun...@tundraware.com>
wrote:
> >> I am working with an institution that today provides limited privilege
> >> escalation
> >> on their servers via very specific sudo rules. The problem is that the
> >> administrators can do 'sudo su -'.
> > <snip>
> >
> >
> > sudo is misconfigured.
> >
> > man 5 sudoers and man 8 visudo
> >
> >
> >
> > Kurt
> >
>
> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
> saying. Are you suggesting that there is a way to configure
> sudo so that if someone does 'sudo su -' to become an admin,
> sudo can be made to log every command they execute thereafter?
See log_input and log_output in sudoers(5)
Thanks so much John, that's the secret sauce I was looking for...
--
----------------------------------------------------------------------------
Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"