HPE Community
Operating System - HP-UX
1752812 Members
5676 Online
108789 Solutions
New Discussion юеВ

Re: SUDO: Detailed commad logging

 
SOLVED
Go to solution
stony_2
Occasional Contributor

тАО05-25-2009 12:39 AM

тАО05-25-2009 12:39 AM

SUDO: Detailed commad logging

Hi,
Requirement: After a user logs in with sudo, each of the commands executed by the user should be logged either in syslog or a seperate log file.

I checked thru lot of forum posts but could not find a working response.

sudoers file listed below
#########################################
# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

Defaults logfile=/var/run/sudo/sudo.log

# Runas alias specification

# User privilege specification
root ALL=(ALL) SETENV: ALL

# Uncomment to allow people in group wheel to run all commands
# and set environment variables.
# %wheel ALL=(ALL) SETENV: ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: SETENV: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
stony bkpsvr=/usr/bin/rlogin,/usr/lbin/remshd,/usr/sbin/cmviewcl, /usr/sbin/cmviewcl -v, /usr/sbin/dmesg, /usr/sbin/vxdmpadm listctlr all, /
usr/sbin/sam, /usr/sbin/swinstall, /opt/contrib/bin/nickel, /usr/bin/gsp, /sbin/ioscan, /opt/ignite/bin/make_tape_recovery

############################################

contents of the log file generate /var/run/sudo/sudo.log

###########################################
root@bkpsvr#cat /var/run/sudo/sudo.log
May 25 12:52:12 : stony : HOST=bkpsvr : TTY=pts/tb ; PWD=/home/stony ; USER=root
; COMMAND=/usr/bin/rlogin bkpsvr
May 25 13:07:26 : hpce : HOST=bkpsvr : TTY=pts/1 ; PWD=/home/stony ; USER=root
; COMMAND=/bin/rlogin bkpsvr

###########################################

The log file only lists the timestamp when I tried to run a command.

What I want sudo is to tell me, what command was executed eg cmviewcl / swlist etc.

What option should be included to enable detailed logging.

Thanks.
0 Kudos
Reply
14 REPLIES 14
avizen9
Esteemed Contributor

тАО05-25-2009 12:57 AM

тАО05-25-2009 12:57 AM

Re: SUDO: Detailed commad logging

Hello Stony,
you can get detail logs in same file /var/adm/syslog/syslog.log
however you should check the logfile location through
visudo
and see if the logfile= option has been set. As mentioned, the syslog file (/var/adm/syslog/syslog.log) file will have the details, but check /etc/syslog.conf for syslog options too.

thanks,
0 Kudos
Reply
Kenan Erdey
Honored Contributor

тАО05-25-2009 01:24 AM

тАО05-25-2009 01:24 AM

Re: SUDO: Detailed commad logging

hi,

sudo already logs commands.check COMMAND line in log. just it does not log directions ( > )


Computers have lots of memory but no imagination
0 Kudos
Reply
johnsonpk
Honored Contributor

тАО05-25-2009 02:26 AM

тАО05-25-2009 02:26 AM

Re: SUDO: Detailed commad logging

Hi Stony,

the log option we use is


Defaults syslog=auth
Defaults log_year,logfile=/var/adm/syslog/sudo.log
Defaults !set_logname

THis will give almost the same output like yours with year


>>>What I want sudo is to tell me, what command was executed eg cmviewcl / swlist etc.


Your log file showing the command executed !!!

###########################################
root@bkpsvr#cat /var/run/sudo/sudo.log
May 25 12:52:12 : stony : HOST=bkpsvr : TTY=pts/tb ; PWD=/home/stony ; USER=root
; COMMAND=/usr/bin/rlogin bkpsvr
May 25 13:07:26 : hpce : HOST=bkpsvr : TTY=pts/1 ; PWD=/home/stony ; USER=root
; COMMAND=/bin/rlogin bkpsvr

###########################################

>>The log file only lists the timestamp when I tried to run a command.



Thanks!!
Johnson
0 Kudos
Reply
Sunny123_1
Esteemed Contributor

тАО05-25-2009 03:46 AM

тАО05-25-2009 03:46 AM

Re: SUDO: Detailed commad logging

Hi John

You gave the information
the log option we use is


Defaults syslog=auth
Defaults log_year,logfile=/var/adm/syslog/sudo.log
Defaults !set_logname

Where is that file???

In my server there is no file like var/run/sudo/sudo.log

Regards
Sunny
0 Kudos
Reply
johnsonpk
Honored Contributor

тАО05-25-2009 04:00 AM

тАО05-25-2009 04:00 AM

Re: SUDO: Detailed commad logging

Hi Tony,

I guess i didnt get u correctly :-(

the log option should be included in th sudoers file using visudo


your below statement confusing me ..

********************************
Stony >>>>>>############################################

contents of the log file generate /var/run/sudo/sudo.log

###########################################
root@bkpsvr#cat /var/run/sudo/sudo.log
May 25 12:52:12 : stony : HOST=bkpsvr : TTY=pts/tb ; PWD=/home/stony ; USER=root
; COMMAND=/usr/bin/rlogin bkpsvr
May 25 13:07:26 : hpce : HOST=bkpsvr : TTY=pts/1 ; PWD=/home/stony ; USER=root
; COMMAND=/bin/rlogin bkpsvr

###########################################

The log file only lists the timestamp when I tried to run a command.

What I want sudo is to tell me, what command was executed eg cmviewcl / swlist etc.


stony>>In my server there is no file like var/run/sudo/sudo.log
********************************************

Now you are saying the yo could not find the
var/run/sudo/sudo.log file ..then from where did you get the log ???(see your first post)


Johnson
0 Kudos
Reply
Viktor Balogh
Honored Contributor

тАО05-26-2009 03:07 AM

тАО05-26-2009 03:07 AM

Re: SUDO: Detailed commad logging

hi stony,

just type visudo at the prompt:

# visudo

you will be presented a vi-like editor which edits the /etc/sudoers file.
There should be some lines like:

Defaults syslog=auth
Defaults log_year,logfile=/var/adm/syslog/sudo.log
Defaults !set_logname

If you cannot find these then insert.
After that you'll find the logfile here:

/var/adm/syslog/sudo.log
****
Unix operates with beer.
Reply
OldSchool
Honored Contributor

тАО05-26-2009 05:27 AM

тАО05-26-2009 05:27 AM

Solution

Re: SUDO: Detailed commad logging

I'm a little confused by your requirements. It appears that sudo is logging the "rlogin" as requested.

if what you are asking is "How do I make the sudo log record all commands entered once the rlogin is accepted?" I believe the answer is "You don't".

Sudo will log the command presented to it...subsequent commands are executed by regular shells.

There used to be a "sudosh" package that had keystroke logging, but it appears not to have been active in a long time.

Commercial products, such as PowerBroker from Symark offer that capability as well, but I find their playback facilities of limited utility.
Reply
stony_2
Occasional Contributor

тАО05-27-2009 03:30 AM

тАО05-27-2009 03:30 AM

Re: SUDO: Detailed commad logging

Thankyou all for responding to my query. The last response from 'Oldschool' is correct.
On closer analysis of my sudo configuration, i find that sudo logs my attempt to rlogin while rest of the commands is being run by the subshell.

Thanks 'old School' for your observation.

An additional query -- Apart from the commercial products, can we configure command logging for all user activity in syslog.

I will not mind scanning the syslog once in a day to find if someone is acting smart.

Thanks again.

0 Kudos
Reply
Pete Randall
Outstanding Contributor

тАО05-27-2009 03:41 AM

тАО05-27-2009 03:41 AM

Re: SUDO: Detailed commad logging

>> An additional query -- Apart from the commercial products, can we configure command logging for all user activity in syslog.

This is a very popular request. Unfortunately, the answer is no. The only logging available for individuals user's commands is their shell history file, which WILL show you all the commands they entered, but will NOT have any date/time stamps, and CAN be altered by the user them selves (since they have to have write permissions, obviously) to hide their tracks.


Pete

Pete
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.