HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

SUDO: Detailed commad logging

 
SOLVED
Go to solution
stony_2
Occasional Contributor

SUDO: Detailed commad logging

Hi,
Requirement: After a user logs in with sudo, each of the commands executed by the user should be logged either in syslog or a seperate log file.

I checked thru lot of forum posts but could not find a working response.

sudoers file listed below
#########################################
# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

Defaults logfile=/var/run/sudo/sudo.log

# Runas alias specification

# User privilege specification
root ALL=(ALL) SETENV: ALL

# Uncomment to allow people in group wheel to run all commands
# and set environment variables.
# %wheel ALL=(ALL) SETENV: ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: SETENV: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
stony bkpsvr=/usr/bin/rlogin,/usr/lbin/remshd,/usr/sbin/cmviewcl, /usr/sbin/cmviewcl -v, /usr/sbin/dmesg, /usr/sbin/vxdmpadm listctlr all, /
usr/sbin/sam, /usr/sbin/swinstall, /opt/contrib/bin/nickel, /usr/bin/gsp, /sbin/ioscan, /opt/ignite/bin/make_tape_recovery

############################################

contents of the log file generate /var/run/sudo/sudo.log

###########################################
root@bkpsvr#cat /var/run/sudo/sudo.log
May 25 12:52:12 : stony : HOST=bkpsvr : TTY=pts/tb ; PWD=/home/stony ; USER=root
; COMMAND=/usr/bin/rlogin bkpsvr
May 25 13:07:26 : hpce : HOST=bkpsvr : TTY=pts/1 ; PWD=/home/stony ; USER=root
; COMMAND=/bin/rlogin bkpsvr

###########################################

The log file only lists the timestamp when I tried to run a command.

What I want sudo is to tell me, what command was executed eg cmviewcl / swlist etc.

What option should be included to enable detailed logging.

Thanks.
14 REPLIES
avizen9
Esteemed Contributor

Re: SUDO: Detailed commad logging

Hello Stony,
you can get detail logs in same file /var/adm/syslog/syslog.log
however you should check the logfile location through
visudo
and see if the logfile= option has been set. As mentioned, the syslog file (/var/adm/syslog/syslog.log) file will have the details, but check /etc/syslog.conf for syslog options too.

thanks,
Kenan Erdey
Honored Contributor

Re: SUDO: Detailed commad logging

hi,

sudo already logs commands.check COMMAND line in log. just it does not log directions ( > )


Computers have lots of memory but no imagination
johnsonpk
Honored Contributor

Re: SUDO: Detailed commad logging

Hi Stony,

the log option we use is


Defaults syslog=auth
Defaults log_year,logfile=/var/adm/syslog/sudo.log
Defaults !set_logname

THis will give almost the same output like yours with year


>>>What I want sudo is to tell me, what command was executed eg cmviewcl / swlist etc.


Your log file showing the command executed !!!

###########################################
root@bkpsvr#cat /var/run/sudo/sudo.log
May 25 12:52:12 : stony : HOST=bkpsvr : TTY=pts/tb ; PWD=/home/stony ; USER=root
; COMMAND=/usr/bin/rlogin bkpsvr
May 25 13:07:26 : hpce : HOST=bkpsvr : TTY=pts/1 ; PWD=/home/stony ; USER=root
; COMMAND=/bin/rlogin bkpsvr

###########################################

>>The log file only lists the timestamp when I tried to run a command.



Thanks!!
Johnson
Sunny123_1
Esteemed Contributor

Re: SUDO: Detailed commad logging

Hi John

You gave the information
the log option we use is


Defaults syslog=auth
Defaults log_year,logfile=/var/adm/syslog/sudo.log
Defaults !set_logname

Where is that file???

In my server there is no file like var/run/sudo/sudo.log

Regards
Sunny
johnsonpk
Honored Contributor

Re: SUDO: Detailed commad logging

Hi Tony,

I guess i didnt get u correctly :-(

the log option should be included in th sudoers file using visudo


your below statement confusing me ..

********************************
Stony >>>>>>############################################

contents of the log file generate /var/run/sudo/sudo.log

###########################################
root@bkpsvr#cat /var/run/sudo/sudo.log
May 25 12:52:12 : stony : HOST=bkpsvr : TTY=pts/tb ; PWD=/home/stony ; USER=root
; COMMAND=/usr/bin/rlogin bkpsvr
May 25 13:07:26 : hpce : HOST=bkpsvr : TTY=pts/1 ; PWD=/home/stony ; USER=root
; COMMAND=/bin/rlogin bkpsvr

###########################################

The log file only lists the timestamp when I tried to run a command.

What I want sudo is to tell me, what command was executed eg cmviewcl / swlist etc.


stony>>In my server there is no file like var/run/sudo/sudo.log
********************************************

Now you are saying the yo could not find the
var/run/sudo/sudo.log file ..then from where did you get the log ???(see your first post)


Johnson
Viktor Balogh
Honored Contributor

Re: SUDO: Detailed commad logging

hi stony,

just type visudo at the prompt:

# visudo

you will be presented a vi-like editor which edits the /etc/sudoers file.
There should be some lines like:

Defaults syslog=auth
Defaults log_year,logfile=/var/adm/syslog/sudo.log
Defaults !set_logname

If you cannot find these then insert.
After that you'll find the logfile here:

/var/adm/syslog/sudo.log
****
Unix operates with beer.
OldSchool
Honored Contributor
Solution

Re: SUDO: Detailed commad logging

I'm a little confused by your requirements. It appears that sudo is logging the "rlogin" as requested.

if what you are asking is "How do I make the sudo log record all commands entered once the rlogin is accepted?" I believe the answer is "You don't".

Sudo will log the command presented to it...subsequent commands are executed by regular shells.

There used to be a "sudosh" package that had keystroke logging, but it appears not to have been active in a long time.

Commercial products, such as PowerBroker from Symark offer that capability as well, but I find their playback facilities of limited utility.
stony_2
Occasional Contributor

Re: SUDO: Detailed commad logging

Thankyou all for responding to my query. The last response from 'Oldschool' is correct.
On closer analysis of my sudo configuration, i find that sudo logs my attempt to rlogin while rest of the commands is being run by the subshell.

Thanks 'old School' for your observation.

An additional query -- Apart from the commercial products, can we configure command logging for all user activity in syslog.

I will not mind scanning the syslog once in a day to find if someone is acting smart.

Thanks again.

Pete Randall
Outstanding Contributor

Re: SUDO: Detailed commad logging

>> An additional query -- Apart from the commercial products, can we configure command logging for all user activity in syslog.

This is a very popular request. Unfortunately, the answer is no. The only logging available for individuals user's commands is their shell history file, which WILL show you all the commands they entered, but will NOT have any date/time stamps, and CAN be altered by the user them selves (since they have to have write permissions, obviously) to hide their tracks.


Pete

Pete
Heironimus
Honored Contributor

Re: SUDO: Detailed commad logging

There is a sudosh2 project that's trying to update sudosh, and EAS was written by the sudosh author as a successor to sudosh. EAS was quickly bought by some company and they made every effort to remove all traces of it from the web, but it's still around on archives.
Viktor Balogh
Honored Contributor

Re: SUDO: Detailed commad logging

>> An additional query -- Apart from the commercial products, can we configure command logging for all user activity in syslog.

you could just try and set up auditing:

"The purpose of the HP-UX Auditing System is to record security relevant events for analysis. This information helps you detect repeated attempts to breach security."

http://docs.hp.com/en/5991-1101/ch08s03.html

****
Unix operates with beer.
Mel Burslan
Honored Contributor

Re: SUDO: Detailed commad logging

Victor,

If a users gets hold of a root equivalent shell, it is very easy to circumvent auditing by turning it off and mangling the audit records to hide one's activities. On a tightly controlled system, auditing works (at the expense of disk space) until the first root account breach takes place. After that, all bets are off.

Unfortunately, other than powerbroker, which is an expensive piece of software to start with, there is no solution to this problem.
________________________________
UNIX because I majored in cryptology...
Viktor Balogh
Honored Contributor

Re: SUDO: Detailed commad logging

OK, with a zero UID you can make anything, but auditing is much more precise as watching into the HISTORY files...
****
Unix operates with beer.
Arun Vijay V C
Frequent Advisor

Re: SUDO: Detailed commad logging

Hi Stony,

You check the user history file,
/home/user/.sh_history

Also, check is there any history fikle set for the user. After switching to sudo you can just do,
()> echo $HISTFILE
//.HISTORY/.sh_history_vijayaru

Under //.HISTORY/ each user will be having an unique history files. Here .sh_history_vijayaru for the user vijayaru. All the commands you do, will be logged in this file.

Thanks,
Arun Vijay