topic Re: rootsh and sudo problem in Secure OS Software for Linux

rootsh and sudo problem

Joppe — Fri, 17 Feb 2006 07:20:22 GMT

Hallo all,

I hope someone can help me with this problem.

To make our servers more secure have stopped root access with su and the administartors have to SUDO to run root commands, that is working really well. I have also a logging-program called rootsh to log everything that are done as root, my problem is that to start the logging the admins then they have to "sudo rootsh" and they get a root shell with logging, but it is still possible to "sudo bash" and then they get a root-shell without logging.

What I want is when they use "sudo bash", then the rootsh should be started automaticaly and logg what is happening.

I have not manage to come up with a solution how to get this to work!

Greatful for help!

Cheers
Joppe

Re: rootsh and sudo problem

Muthukumar_5 — Fri, 17 Feb 2006 07:29:56 GMT

You can audit the sudo related commands with history files itself generally.

Another method as writing shell wrapper as,

# mv sudo.org
# cat > sudo
#!/bin/bash
if [[ $1 = "bash" ]]
then
# put the command to start
fi
echo $* | bash

# end
exit 0

###########

Change permission to new sudo file and try now.

--
Muthu

Re: rootsh and sudo problem

Joppe — Fri, 17 Feb 2006 07:58:42 GMT

Thanks, that works fine!
But This means that I can't add new users to the sudoers file that I only want to let run a few specified commands.

The question is if it is possible to have it so I still easy can add sudo rules for other users also?

/Joppe

Re: rootsh and sudo problem

Joppe — Fri, 17 Feb 2006 08:12:12 GMT

Oups, was a little to fast to replay.

With this script instead of the orginal sudo makes my logg file look like rubbish instead!

/Joppe

Re: rootsh and sudo problem

Joppe — Fri, 17 Feb 2006 08:29:46 GMT

Okay all I found a solution for my probblem that's working!

I simply changed the default shell for the admin user to my rootsh, and added rootsh in the /etc/shells. And then I have logging from the first second a admin user loggs in to the server until he loggs out!

Cheers

Joppe

Re: rootsh and sudo problem

Steven E. Protter — Fri, 17 Feb 2006 14:41:42 GMT

Shalome Joppe,

If sudo bash works you have no security at all and there is almost no reason to use sudo.

The binaries that can be sudo must be limited by the sudoers file to make this setup effective.

Leaving bash available for sudo is a huge back door that needs to be shut.

As far a logging commands, you can set the HISTFILE variable and all commands input by keyboard logged. This can be in the home directores of your various admins or a central location.

SEP