Re: Track activity of sudo users

bharat satsangi · ‎06-02-2011

Hi Champs,
There are lot of users in my system, they are not local users and does not exist in /etc/passwd. thay are vintella users and they have sudo rights. generally thay login with there id and become root by sudo su - root. now all the activity goes to root history file or in root environment so i m not able to trace which user has done what. need all your help to put a mechanism in place to track all these activity.

Thanks

Steven E. Protter · ‎06-02-2011

Shalom,

sudo logs all transactions.

/var/adm/sulog

Pretty much all you have to do is log in and look at it. You might want to use a shell script to pretty up the results.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

James R. Ferguson · ‎06-02-2011

Hi:

By default, 'sudo' logs successful and unsuccessful activity in the 'syslog'. The '/var/adm/su' file applies to the 'su' command.

Regards!

...JRF...

Bill Hassell · ‎06-02-2011

> sudo su - root

This completely disables sudo logging capability. You need to disallow su for these users and tell them to use the command correctly:

sudo ioscan

In other words, they must type sudo for EVERY root command that they run. Once they start su - root, a new shell is started and sudo logs stop. This may irritate the users but root privilege is far to powerful to casually give to these non-sysadmins without restrictions. Personally, I would list only the root commands that are safe for these users and require them to call a trained sysadmin to run dangerous commands that affect disks and volume groups.

Bill Hassell, sysadmin

bharat satsangi · ‎06-03-2011

I do agree, i can get /var/adm/su file and syslog files too. but these files will tell only the command which ran as sudo that means "sudo command" but if user becomes root by typing sudo su - root then sudo logs does not help. so i need to track these activity. i belive i can put some script some where, but dont know what script and where...?
Thanks again

Bill Hassell · ‎06-03-2011

> i belive i can put some script some where, but dont know what script and where...?

If you aren't going to disable su as an authorized command in sudo, then there's not much you can do. The decision to give non-sysadmins access to unrestricted sudo (and su) was misguided. If your systems are audited, they will fail due to unrestricted root access. Logging what the users did when they were root is too late. A single chmod -R or rm -rf * from an novice user can totally destroy the system. Good security has two purposes: Keep the bad guys out, and keep users from making very bad mistakes.

Bill Hassell, sysadmin

Earl_Crowder · ‎06-03-2011

Hi,

I agree with Bill, full root access for the untrained admin is like giving everyone grenades and rocketlaunchers. Sooner or later, boom!

If they must have root access, first train them to use "sudo -i" instead of sudo su -. Same effect, they get a root shell. Also, using "sudo -i" will set an environment variable SUDO_USER that you can use in the root profile, perhaps like:

if [ -z "${SUDO_USER:-}" ] ; then
SUDO_USER=$(/usr/bin/logname)
fi
if [ -z "${SUDO_USER:-}" -o "${SUDO_USER:-}" = "root" ] ; then
export HISTFILE=~/.sh_history
else
export HISTFILE=/var/adm/histfile/history.${SUDO_USER}
fi
export HISTSIZE=10000

bharat satsangi · ‎06-06-2011

I m not concern about user have the root access, and they can delete there logs.
i just want to trace there activity in a file like different file for different user.

Re: Track activity of sudo users

Track activity of sudo users