- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: how can get sudo log the commands run by a sud...
Operating System - HP-UX
1753967
Members
7382
Online
108811
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2010 09:36 AM
тАО01-28-2010 09:36 AM
Hi
When people do "sudo -s" and then execute commands in that shell sudo only generates the following logs in /var/adm/syslog/sudo.log
Is there a way to let sudo log each command the sudoer enters in the shell?
Thanks in advance.
******************************************
Jan 25 14:09:27 : mmatus : TTY=pts/1 ; PWD=/home/mmatus ; USER=root ; COMMAND=/sbin/sh
Jan 28 09:23:55 : dliu : TTY=pts/0 ; PWD=/home/dliu ; USER=root ; COMMAND=/sbin/sh
Jan 28 11:32:03 : dliu : TTY=pts/1 ; PWD=/home/dliu ; USER=root ; COMMAND=/sbin/sh
When people do "sudo -s" and then execute commands in that shell sudo only generates the following logs in /var/adm/syslog/sudo.log
Is there a way to let sudo log each command the sudoer enters in the shell?
Thanks in advance.
******************************************
Jan 25 14:09:27 : mmatus : TTY=pts/1 ; PWD=/home/mmatus ; USER=root ; COMMAND=/sbin/sh
Jan 28 09:23:55 : dliu : TTY=pts/0 ; PWD=/home/dliu ; USER=root ; COMMAND=/sbin/sh
Jan 28 11:32:03 : dliu : TTY=pts/1 ; PWD=/home/dliu ; USER=root ; COMMAND=/sbin/sh
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2010 05:50 PM
тАО01-28-2010 05:50 PM
Solution
> sudo -s
is a big problem. I would NEVER allow sudo -s or even sudo ksh. sudo is doing exactly what it was told: run a shell as root. Once the shell is running, the user can anything including removing the only record of the commands, the shell history file (.sh_history for ksh and POSIX sh).
Your sudoers file should explicitly deny shell access. Every command run by an ordinary user is a potential security risk and for that privilege, the user must document every step with a separate sudo command.
IF you cannot control secure settings for sudo, then the only record of the user commands will be in the shell history file -- but without the user's login name. So every sudo -s by every user will all be mixed into the shell history.
Bill Hassell, sysadmin
is a big problem. I would NEVER allow sudo -s or even sudo ksh. sudo is doing exactly what it was told: run a shell as root. Once the shell is running, the user can anything including removing the only record of the commands, the shell history file (.sh_history for ksh and POSIX sh).
Your sudoers file should explicitly deny shell access. Every command run by an ordinary user is a potential security risk and for that privilege, the user must document every step with a separate sudo command.
IF you cannot control secure settings for sudo, then the only record of the user commands will be in the shell history file -- but without the user's login name. So every sudo -s by every user will all be mixed into the shell history.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2010 10:55 PM
тАО01-28-2010 10:55 PM
Re: how can get sudo log the commands run by a sudoer
Hello,
Using sudo -s is a bad idea.
You should selectively allow access only to the executables the end users would need to execute (with sudo path/executable)
Please read:
http://www.syslog.org/logged/program-to-manage-and-monitor-administrators/
In your case, only /sbin/sh would keep a record (in .sh_history) of what was run on this shell.
As the user became super-user, it is easy for him to override your security settings, but if you would implement the following and check the logs on regular basis, should be able to track it down.
You could use some scripting to log the sh_history file changes in syslog (use authpriv facility) and you could implement a centralized syslog server logging system in order to prevent your user (which would became root) to delete the logs related to his actions without leaving a trace.
There are a lot of problems of course with this implementation ( like multiple sudoers would be logged in the same manner in .sh_history file which does not implement date/time stamps ) and you should avoid using -s as I told you on the beginning of this post.
Best regards,
Horia.
Using sudo -s is a bad idea.
You should selectively allow access only to the executables the end users would need to execute (with sudo path/executable)
Please read:
http://www.syslog.org/logged/program-to-manage-and-monitor-administrators/
In your case, only /sbin/sh would keep a record (in .sh_history) of what was run on this shell.
As the user became super-user, it is easy for him to override your security settings, but if you would implement the following and check the logs on regular basis, should be able to track it down.
You could use some scripting to log the sh_history file changes in syslog (use authpriv facility) and you could implement a centralized syslog server logging system in order to prevent your user (which would became root) to delete the logs related to his actions without leaving a trace.
There are a lot of problems of course with this implementation ( like multiple sudoers would be logged in the same manner in .sh_history file which does not implement date/time stamps ) and you should avoid using -s as I told you on the beginning of this post.
Best regards,
Horia.
Best regards from Romania,
Horia.
Horia.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP