HPE Community
Operating System - HP-UX
1834508 Members
2212 Online
110068 Solutions
New Discussion

Auditing only when user does sudo su - or sudo su -o loginname

 
Jean-Marc Beaudoin_1
Advisor

‎09-27-2004 07:23 AM

‎09-27-2004 07:23 AM

Auditing only when user does sudo su - or sudo su -o loginname

Hi there,

We need to activate auditing on all our HP-UX 11i systems and wish to start auditing users onlyn when the isssue a sudo su - or sudo su - loginname.

Example:

me@hphost: sudo su - oracle

or

me@hphost: sudo su -

I want to log everything only from this point until the user does exit and goes back to his prompt.

Is that possible ? If so, how ?

Regards,



0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

‎09-27-2004 07:29 AM

‎09-27-2004 07:29 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Jean,

Auditing doesn't really provide much flexibility. You have to work around it to get what you wanted.

In this case what I would do is

1. Make 'oracle' account as su'able only.
2. Enable Auditing but audit only the user 'oracle'.

This way all the activity of oracle will be tracked. Even if you don't make it 'su'able only', auditing will be limited to only that user. If you want to grab the data only for the su'ed oracle sessions, then you can get the tty from /var/adm/sulog and filter out the entries corresponding to it using 'audisp -u oracle -l

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jean-Marc Beaudoin_1
Advisor

‎09-28-2004 12:02 AM

‎09-28-2004 12:02 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Thank you for this information...

While thinking of this issue twice, I think I should focus on the su command which is the key.

What we need to do exactly is that any user are monitored in audit as soon as they do the su command.

su -
su - oracle
su - anyuser (because we have many application related loginname)

So the perfect solution would be that as soon as the su command is invoked, everything from this point is audited.

But I honestly doubt that this 'perfect' solution is feasible.

Is HP-UX auditing be tweaked to do this ? How ?

Do you know something (product) that would do this job ?

Regards,

0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-28-2004 01:36 AM

‎09-28-2004 01:36 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Hp-ux auditing by converting into trusted on is not efficient and will not give needful for this.

We can do this as,

1> move origianal su binary /usr/bin/su to /usr/bin/suorg ( Nobody has to know this here :-) or unknown name or super or stepuser )

2> make a script so that act as su binary and execute with renamed binary with this options there.

3> You can enable monitoring there with script commad as

.....
script -qa /tmp/logfile.$LOGNAME
/usr/bin/suorg $@ | sh
...

You can monitor everything here.

It will be halpful to log everything to monitoring effectively there.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Rick Garland
Honored Contributor

‎09-28-2004 02:24 AM

‎09-28-2004 02:24 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

This would be more of a 2 step process. 1st you would need to get the sudolog to see that the 'me' user did a sudo command. Once you have that you can go through the shell history of the user , in the above examples look through the oracle shell history and/or the sulog or root's history.

0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-28-2004 08:26 AM

‎09-28-2004 08:26 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Hi,

I am not positive about restricting Auditing to start only after 'su' command. You can control Auditing with two variables - events (and system calls) and users. I don't think you will get much combinations with them that are enough for what you want.

The best possible solution in my view is to enable auditing for only selective users. Let it record all the activity. You can always filter out what you want using 'audisp' command. Best bet is to use a combination of the 'user' and 'tty' options of 'audisp' after obtaining the information from sulog.

I worked on SeOS (Now eTrust access control) that can do miracles for you. Basically you put the 'script' statement in their 'readonly profile' (or in /etc/profile)) and redirect the output to a secured location. You can control access to any file using SeOS so that user will not be able to read/edit his/her profile as well the script output file through regular commands though he is the owner of the file. Or, modify /etc/profile (csh.login) to run 'script' only for the su'ing users. Review the 'script logs' periodically.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Jean-Marc Beaudoin_1
Advisor

‎09-29-2004 01:13 AM

‎09-29-2004 01:13 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Good day,

I'm getting very close to the solution;

I wrote a small perl script that will call /usr/bin/su after doing a script command to log everything.

The line that initiate this is...

system("script -a $LOGFILENAME | /usr/bin/su $P0 $P1 | /usr/bin/ksh");
0 Kudos
Reply
Jean-Marc Beaudoin_1
Advisor

‎09-29-2004 01:18 AM

‎09-29-2004 01:18 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Good day,

I'm getting very close to the solution;

I wrote a small perl script that will call /usr/bin/su after doing a script command to log everything.

The line that initiate this is...

system("script -a $LOGFILENAME | /usr/bin/su $P0 $P1");

where $P0 and $P1 are parameters that are passed by the user.

Example: newsu - oracle

$P0 = -
$P1 = oracle

It prompts for the password but.... freezes there...

Any hints ???

Regards,

0 Kudos
Reply
gerhard lausser
New Member

‎10-17-2004 10:09 AM

‎10-17-2004 10:09 AM

Re: Auditing only when user does sudo su - or sudo su -o loginname

Hi Jean-Marc,
have a look at http://sourceforge.net/projects/rootsh/
It is a wrapper for a shell which logs every input and output between the calling user's terminal and the shell into a logfile and optionally to a syslog server.
I wrote it, because we have some powerusers or project users who need sometimes root privileges if they install and maintain their software.
"sudo -s", which was formerly used, did not provide enough information about the users' actions.
Now they call "sudo rootsh" and we have a protocol of all their keystrokes on a separate syslogserver.
In your case, you could let users call rootsh as user oracle via a runas spec in /etc/sudoers
me hphost = (oracle) /bin/rootsh

then call "sudo -u oracle rootsh"

We use rootsh heavily at a bavarian car manufacturer, also with hp-ux. In the contrib/hpux directory i put info how to build a hp software package.
There is also a screenshot at http://freshmeat.net/projects/rootsh/
Please let me know if rootsh is of any
use for you.

Greetings from Munich,
Gerhard Lausser
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.