System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

how can get sudo log the commands run by a sudoer

SOLVED
Go to solution
newa
Frequent Advisor

how can get sudo log the commands run by a sudoer

Hi

When people do "sudo -s" and then execute commands in that shell sudo only generates the following logs in /var/adm/syslog/sudo.log

Is there a way to let sudo log each command the sudoer enters in the shell?

Thanks in advance.

******************************************

Jan 25 14:09:27 : mmatus : TTY=pts/1 ; PWD=/home/mmatus ; USER=root ; COMMAND=/sbin/sh
Jan 28 09:23:55 : dliu : TTY=pts/0 ; PWD=/home/dliu ; USER=root ; COMMAND=/sbin/sh
Jan 28 11:32:03 : dliu : TTY=pts/1 ; PWD=/home/dliu ; USER=root ; COMMAND=/sbin/sh
2 REPLIES
Bill Hassell
Honored Contributor
Solution

Re: how can get sudo log the commands run by a sudoer

> sudo -s

is a big problem. I would NEVER allow sudo -s or even sudo ksh. sudo is doing exactly what it was told: run a shell as root. Once the shell is running, the user can anything including removing the only record of the commands, the shell history file (.sh_history for ksh and POSIX sh).

Your sudoers file should explicitly deny shell access. Every command run by an ordinary user is a potential security risk and for that privilege, the user must document every step with a separate sudo command.

IF you cannot control secure settings for sudo, then the only record of the user commands will be in the shell history file -- but without the user's login name. So every sudo -s by every user will all be mixed into the shell history.


Bill Hassell, sysadmin
Horia Chirculescu
Honored Contributor

Re: how can get sudo log the commands run by a sudoer

Hello,

Using sudo -s is a bad idea.
You should selectively allow access only to the executables the end users would need to execute (with sudo path/executable)
Please read:

http://www.syslog.org/logged/program-to-manage-and-monitor-administrators/

In your case, only /sbin/sh would keep a record (in .sh_history) of what was run on this shell.

As the user became super-user, it is easy for him to override your security settings, but if you would implement the following and check the logs on regular basis, should be able to track it down.

You could use some scripting to log the sh_history file changes in syslog (use authpriv facility) and you could implement a centralized syslog server logging system in order to prevent your user (which would became root) to delete the logs related to his actions without leaving a trace.

There are a lot of problems of course with this implementation ( like multiple sudoers would be logged in the same manner in .sh_history file which does not implement date/time stamps ) and you should avoid using -s as I told you on the beginning of this post.


Best regards,
Horia.
Best regards from Romania,
Horia.