# Some security concerns...



## icecoke (Jun 13, 2017)

Hi everyone,

not sure if I'm in the right forum area, so maybe a mod wants to move this.

Is it possible to 'track' actions that are done in a jail where an sshd server is running and offering root access (so of course no root access directly in the sshd, but after login su/sudo is possible).

The security level is low in the jail, so I have options for chflags in the host, but doing an sappend on e.g. .history is senseless as one can do a history -c or crashing the current session, so that nothing is written at all.

The sudoers file has a schg flag, so maybe sudoers/su is offering something like this? (So that at least the elevated commands are tracked?)

I'm wondering ho to implement some kind of options to see afterwards what one has done on the jailed shell. Any ideas for that?


----------



## icecoke (Jun 17, 2017)

getopt Thanks for your input! That's like a teammate saying: pull the plug, so noone can break in your machine 
To disable the sshd in the jail is no option, as this is mandatory for the service we doing. So we must offer sshd, but we would like to track this under some circumstances.


----------



## ShelLuser (Jun 17, 2017)

First, in all honesty, getopt does have a valid point: if you don't trust your users then you shouldn't be handing out root privileges in the first place.



icecoke said:


> Is it possible to 'track' actions that are done in a jail where an sshd server is running and offering root access (so of course no root access directly in the sshd, but after login su/sudo is possible).


There are a few options, for starters you could consider setting up process accounting / auditing. Check chapter 13.2 of the FreeBSD handbook for that. If you check /usr/ports/security you'll probably find much more.  Maybe an easier approach is running `make search key=auditing | less` in /usr/ports and then simply concentrating on 'security'.


----------



## Eric A. Borisch (Jun 18, 2017)

Check out sysutils/DTraceToolkit, and execsnoop within that; it has an option to print JIDs with it that you can filter on separately.

This isn't a security tool, but it is one route to see what is being executed. Note that it doesn't give you visibility into what those programs are doing.


----------

