topic Re: sudo setup in Operating System - HP-UX

sudo setup

Michael G Jaynes — Tue, 20 Jan 2009 15:56:56 GMT

I am looking to install sudo but cannot find any information about setting it up in the users' .profile file to automatically make sudo run for the user. I do not want to rely on users typing sudo before every command. I know nobody will do this. Any info?

Re: sudo setup

Patrick Wallek — Tue, 20 Jan 2009 16:09:58 GMT

>>automatically make sudo run for the user.

Not possible.

>>I do not want to rely on users typing sudo before every command. I know nobody will do this

If they want their commands to run properly they WILL do it.

The other option is to set up an alias for whatever command(s) the user will run.

alias ssu='/usr/local/bin/sudo su -'

Thus, when the user types 'ssu' at the prompt it would run the 'sudo su -' command for them.

This is about all you will be able to do. There is no way to tell the shell to prepend 'sudo' to every command typed. You really would not want to do that anyway.

Re: sudo setup

Michael G Jaynes — Tue, 20 Jan 2009 16:28:15 GMT

Hmm I see.

Well let me give you a little bit of background. There are only two users of our HP-UX servers. The two of us are both administrators and regularly use the root account. I cannot rely on the other admin to type sudo in order for it to log his actions.

SOX is making us give a paper trail as to which one of us are using the root account when and what we are doing while logged in as root. I believe sudo will give me the proper logging. I have also looked at Symark's Powerbroker. While extremely powerful, it is overkill. Any suggestions?

Re: sudo setup

Autocross.US — Tue, 20 Jan 2009 17:05:20 GMT

You can do something like this with sudo:

- visudo

- create a user alias defining your root users:

User_Alias ROOT_USERS = user1, user2

- Define the su to root command:
ROOT_USERS ALL = NOPASSWD: /usr/bin/su [-]

Then in the .profile for each user, add:
sudo su -

This will su them to root upon login into their account using sudo.

Re: sudo setup

Patrick Wallek — Tue, 20 Jan 2009 19:15:37 GMT

>>This will su them to root upon login into their account using sudo.

True, BUT it will NOT log any commands the are issued AFTER you become root.

Re: sudo setup

Autocross.US — Tue, 20 Jan 2009 19:40:51 GMT

/home/root/.sh_history will show all commands executed by root. If you want to show the activities of each user, add something like this to the .profile of root:

HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=50000
export HISTSIZE

This will create a history file for each user that becomes root with the date.

Also, for the above sudo commands to work, each user needs to be in the SU_ROOT_GROUP defined in /etc/default/security, if they aren't already.

Re: sudo setup

Michael G Jaynes — Tue, 20 Jan 2009 19:50:19 GMT

Thank you for your responses.

We had a miss on our SOX audit last year since only two of us log into the machines. We both tend to log in with the root account. We have since started logging in with our user accounts and su-ing to root as needed. But we still are lacking proof that only the two of us are using the root account.

Re: sudo setup

Autocross.US — Tue, 20 Jan 2009 20:08:43 GMT

Proof can be found in /var/adm/sulog:

grep '[a-zA-Z0-9]-root' /var/adm/sulog
(shows everyone that became root)

Also, to show all sudo commands run as root:

grep "sudo.*USER=root" /var/adm/syslog/syslog.log

As long as these logs are archived for long period, i would think that would be proof enough. It has been for our security audits.

Do the auditors have any recommendations for correcting the finding? I'd be interested to know what they are.

Re: sudo setup

Michael G Jaynes — Tue, 20 Jan 2009 21:46:04 GMT

Thanks guys, the combination of answers received I am able to get all the information I need in my development box. I will do a little more testing and will get this into production asap. Thank you for the responses.

Re: sudo setup

Michael G Jaynes — Tue, 20 Jan 2009 21:46:40 GMT

Combination of the history file, sudo setup and the sulog. Thank you