HPE Community
Operating System - HP-UX
1820477 Members
3077 Online
109624 Solutions
New Discussion юеВ

Sudo logs

 
SOLVED
Go to solution
MohitAnchlia
Frequent Advisor

тАО09-11-2006 12:41 PM

тАО09-11-2006 12:41 PM

Sudo logs

This is my situation:

1. User sudo su - abc
2. after login to abc he executes "rm *"
3. exit

I have entry in sudoers file that allow this user to run su, also defines the log file in /var/log/sudo.log. Now how do I get that this user also executed "rm *" in log file.
0 Kudos
Reply
9 REPLIES 9
Steven E. Protter
Exalted Contributor

тАО09-11-2006 12:48 PM

тАО09-11-2006 12:48 PM

Re: Sudo logs

Shalom,

You kind of don't get that in the log file without scripting it.

Your standard user environment should set HISTFILE variable so that keystrokes can be logged to a file. This output can be appended to the sudo logs. Also, you could use the tee command or echo commands to route specific output to the sudo logs.

The best way to go is to write a script that peforms these actions in a safe and controlled way. This very same script can be configured to update any log you'd like updated.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
spex
Honored Contributor

тАО09-11-2006 01:08 PM

тАО09-11-2006 01:08 PM

Solution

Re: Sudo logs

Hi,

1) Convert to a trusted system.

2) Run the 'script' command from the user's profile. You may also be able to use GNU Screen for this purpose.

3) Set $HISTFILE to a non-default value and hope the user isn't sophisticated enough to find/edit his history.

Also, don't forget to assign points to any responses that may have helped you. You are currently 0 for 9.

PCS
Reply
Bill Hassell
Honored Contributor

тАО09-11-2006 01:08 PM

тАО09-11-2006 01:08 PM

Re: Sudo logs

"sudo su - abc" is very poor design. sudo is very powerful but to allow su essentially destroys all your system security. su must be forbidden in the sudoers file. If a user wants to run a specific instruction, the sudoers file must allow it explicitly. The sudo log only logs the command on the sudo line. Now the user abc should have .sh_history available so you could look in that file for commands. But that should never be used as a security procedure.

Security must be inconvenient so you take away su from the sudo configuration. If a user wants to do something as a specific user, that task should be identified and scripted if necessary. And note that security doesn't just mean keeping out the bad guys -- it also means preventing mistakes. Your sudo file should have explicit commands and even specific parameters to commands. For example, do not give sudo users access to the mount and umount command when they want to use a CDROM. Instead, you specify the exact command such as: mount /cdrom


Bill Hassell, sysadmin
Reply
apple
Super Advisor

тАО12-16-2007 06:23 PM

тАО12-16-2007 06:23 PM

Re: Sudo logs

Dear HPUX Gurus,
The conversation is very interesting.
i tried to find the log inside, i can't find any sudo log inside the system?
our system is hpux 11.23i. this log is very important to track any sudo user that using the utilities right?
hope to hear from you
0 Kudos
Reply
Jeeshan
Honored Contributor

тАО12-16-2007 08:21 PM

тАО12-16-2007 08:21 PM

Re: Sudo logs

by default you can view the sudo logs from syslog.log file.
a warrior never quits
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-17-2007 01:26 PM

тАО12-17-2007 01:26 PM

Re: Sudo logs

almond08: ...where is sudo log ...

It would be better to start your own question about this. The answer is that sudo can be installed from many, many different locations and has a number of versions available. If you compiled sudo then there were many options available to configure sudo values indicating where the log is located. Also, you can set the log file location in the sudoers file. Run the command:

visudo

and see if the logfile= option has been set. As mentioned, the syslog file (/var/adm/syslog/syslog.log) file will have the details, but check /etc/syslog.conf for syslog options too.


Bill Hassell, sysadmin
0 Kudos
Reply
apple
Super Advisor

тАО12-17-2007 05:00 PM

тАО12-17-2007 05:00 PM

Re: Sudo logs

Thank you for the great explaination.
1. When I issue the #visudo
I can see there is a line like this:

Defaults log_year, logfile=/var/log/sudo.local.log

but when i go to /var, i can't get the log folder. do we have such hidden folder or what for this sudo security purpose?

2. i go to /etc/syslog.conf, the output are such:
# syslogd configuration file.

mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *

do we have to add in an entry for our sudo log?

3. I go to /var/adm/syslog/syslog.log
i can see the sudo entries there. what is the best way to go for sudo log? the syslog.log or sudo.log?
Looking forward for your awaiting reply. Thank you.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-17-2007 06:25 PM

тАО12-17-2007 06:25 PM

Re: Sudo logs

> 1. When I issue the #visudo I can see there is a line like this:
>
>Defaults log_year,logfile=/var/log/sudo.local.log

The sudo log file is in the /var/log directory. However, if no one created the directory, then sudo logs just to syslog.

2...syslog.conf...

This is a standard syslog file. What you look for is a special file for authorizations, but none are present in this file.

3...sudo.log or syslog...

syslog is a very busy file so sorting out the sudo activities will require some work. I would change the sudoers file with visudo to read this way:

Defaults logfile=/var/adm/sudo.log

Most of the HP-UX logfiles are in /var/adm so this is a good place for the sudo log.


Bill Hassell, sysadmin
0 Kudos
Reply
melvyn burnard
Honored Contributor

тАО12-18-2007 12:21 AM

тАО12-18-2007 12:21 AM

Re: Sudo logs

almond08
PLEASE do not hijack other threads, open your own thread and refer to this thread.
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.