On Dec 18, 2012, at 5:43 PM, Tim Daneliuk wrote: > On 12/18/2012 07:33 PM, Devin Teske wrote: >> >> On Dec 18, 2012, at 5:18 PM, Tim Daneliuk wrote: >> > >>>> >>> >>> One further question, if I may. If I do this: >>> >>> sudo su - >>> >>> Will log_input record everything I do once I've been promoted to >>> root? I ask because my initial experiments seem to show that all >>> that's getting recorded is the content of the sudo command itself, >>> not the subsequent actions… >>> >> >> Correct, sudo is blind to the actions performed once the command requested >> is executed (in this case, "su" and subsequently a shell followed by more >> actions). >> > > Actually, I just tried this with both log_input and log_output options > enabled. > It seems that it *can* see into the promoted shell with a few caveats: > > - Command output is logged immediately, but command inputs appear to only > be written to the log when you exit the promoted shell. This may be > not quite right - there may have not been enough input to cause a > write flush to the log. > > - The logging seems to be able to see into a spawned subshell, but > I don't think it can see input/output if you, say, kick off an xterm. >
What about if you do "sudo vim" and then type ":sh" ? -- Devin > >> I've suggested the lrexec module for catching everything, or you can look >> into the auditdistd (distributed auditing collection/collation to a >> remote/central server) approach, the praudit approach, or any of the other >> pieces of software mentions. >> _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
