topic Re: Sudo logs in Operating System - HP-UX

Sudo logs

MohitAnchlia — Mon, 11 Sep 2006 19:41:03 GMT

This is my situation:

1. User sudo su - abc
2. after login to abc he executes "rm *"
3. exit

I have entry in sudoers file that allow this user to run su, also defines the log file in /var/log/sudo.log. Now how do I get that this user also executed "rm *" in log file.

Re: Sudo logs

Steven E. Protter — Mon, 11 Sep 2006 19:48:43 GMT

Shalom,

You kind of don't get that in the log file without scripting it.

Your standard user environment should set HISTFILE variable so that keystrokes can be logged to a file. This output can be appended to the sudo logs. Also, you could use the tee command or echo commands to route specific output to the sudo logs.

The best way to go is to write a script that peforms these actions in a safe and controlled way. This very same script can be configured to update any log you'd like updated.

SEP

Re: Sudo logs

spex — Mon, 11 Sep 2006 20:08:17 GMT

Hi,

1) Convert to a trusted system.

2) Run the 'script' command from the user's profile. You may also be able to use GNU Screen for this purpose.

3) Set $HISTFILE to a non-default value and hope the user isn't sophisticated enough to find/edit his history.

Also, don't forget to assign points to any responses that may have helped you. You are currently 0 for 9.

PCS

Re: Sudo logs

Bill Hassell — Mon, 11 Sep 2006 20:08:40 GMT

"sudo su - abc" is very poor design. sudo is very powerful but to allow su essentially destroys all your system security. su must be forbidden in the sudoers file. If a user wants to run a specific instruction, the sudoers file must allow it explicitly. The sudo log only logs the command on the sudo line. Now the user abc should have .sh_history available so you could look in that file for commands. But that should never be used as a security procedure.

Security must be inconvenient so you take away su from the sudo configuration. If a user wants to do something as a specific user, that task should be identified and scripted if necessary. And note that security doesn't just mean keeping out the bad guys -- it also means preventing mistakes. Your sudo file should have explicit commands and even specific parameters to commands. For example, do not give sudo users access to the mount and umount command when they want to use a CDROM. Instead, you specify the exact command such as: mount /cdrom

Re: Sudo logs

apple — Mon, 17 Dec 2007 02:23:52 GMT

Dear HPUX Gurus,
The conversation is very interesting.
i tried to find the log inside, i can't find any sudo log inside the system?
our system is hpux 11.23i. this log is very important to track any sudo user that using the utilities right?
hope to hear from you

Re: Sudo logs

Jeeshan — Mon, 17 Dec 2007 04:21:10 GMT

by default you can view the sudo logs from syslog.log file.

Re: Sudo logs

Bill Hassell — Mon, 17 Dec 2007 21:26:12 GMT

almond08: ...where is sudo log ...

It would be better to start your own question about this. The answer is that sudo can be installed from many, many different locations and has a number of versions available. If you compiled sudo then there were many options available to configure sudo values indicating where the log is located. Also, you can set the log file location in the sudoers file. Run the command:

visudo

and see if the logfile= option has been set. As mentioned, the syslog file (/var/adm/syslog/syslog.log) file will have the details, but check /etc/syslog.conf for syslog options too.

Re: Sudo logs

apple — Tue, 18 Dec 2007 01:00:37 GMT

Thank you for the great explaination.
1. When I issue the #visudo
I can see there is a line like this:

Defaults log_year, logfile=/var/log/sudo.local.log

but when i go to /var, i can't get the log folder. do we have such hidden folder or what for this sudo security purpose?

2. i go to /etc/syslog.conf, the output are such:
# syslogd configuration file.

mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *

do we have to add in an entry for our sudo log?

3. I go to /var/adm/syslog/syslog.log
i can see the sudo entries there. what is the best way to go for sudo log? the syslog.log or sudo.log?
Looking forward for your awaiting reply. Thank you.

Re: Sudo logs

Bill Hassell — Tue, 18 Dec 2007 02:25:05 GMT

> 1. When I issue the #visudo I can see there is a line like this:
>
>Defaults log_year,logfile=/var/log/sudo.local.log

The sudo log file is in the /var/log directory. However, if no one created the directory, then sudo logs just to syslog.

2...syslog.conf...

This is a standard syslog file. What you look for is a special file for authorizations, but none are present in this file.

3...sudo.log or syslog...

syslog is a very busy file so sorting out the sudo activities will require some work. I would change the sudoers file with visudo to read this way:

Defaults logfile=/var/adm/sudo.log

Most of the HP-UX logfiles are in /var/adm so this is a good place for the sudo log.

Re: Sudo logs

melvyn burnard — Tue, 18 Dec 2007 08:21:34 GMT

almond08
PLEASE do not hijack other threads, open your own thread and refer to this thread.