HPE Community
Operating System - HP-UX
1826331 Members
3438 Online
109692 Solutions
New Discussion

Re: sudo setup

 
SOLVED
Go to solution
Michael G Jaynes
Advisor

‎01-20-2009 07:56 AM

‎01-20-2009 07:56 AM

sudo setup

I am looking to install sudo but cannot find any information about setting it up in the users' .profile file to automatically make sudo run for the user. I do not want to rely on users typing sudo before every command. I know nobody will do this. Any info?
0 Kudos
9 REPLIES 9
Patrick Wallek
Honored Contributor

‎01-20-2009 08:09 AM

‎01-20-2009 08:09 AM

Re: sudo setup

>>automatically make sudo run for the user.

Not possible.

>>I do not want to rely on users typing sudo before every command. I know nobody will do this

If they want their commands to run properly they WILL do it.

The other option is to set up an alias for whatever command(s) the user will run.

alias ssu='/usr/local/bin/sudo su -'

Thus, when the user types 'ssu' at the prompt it would run the 'sudo su -' command for them.

This is about all you will be able to do. There is no way to tell the shell to prepend 'sudo' to every command typed. You really would not want to do that anyway.
0 Kudos
Michael G Jaynes
Advisor

‎01-20-2009 08:28 AM

‎01-20-2009 08:28 AM

Re: sudo setup

Hmm I see.

Well let me give you a little bit of background. There are only two users of our HP-UX servers. The two of us are both administrators and regularly use the root account. I cannot rely on the other admin to type sudo in order for it to log his actions.

SOX is making us give a paper trail as to which one of us are using the root account when and what we are doing while logged in as root. I believe sudo will give me the proper logging. I have also looked at Symark's Powerbroker. While extremely powerful, it is overkill. Any suggestions?
0 Kudos
Autocross.US
Trusted Contributor

‎01-20-2009 09:05 AM

‎01-20-2009 09:05 AM

Solution

Re: sudo setup

You can do something like this with sudo:

- visudo

- create a user alias defining your root users:

User_Alias ROOT_USERS = user1, user2

- Define the su to root command:
ROOT_USERS ALL = NOPASSWD: /usr/bin/su [-]

Then in the .profile for each user, add:
sudo su -

This will su them to root upon login into their account using sudo.
I drive way too fast to worry about calories.
0 Kudos
Patrick Wallek
Honored Contributor

‎01-20-2009 11:15 AM

‎01-20-2009 11:15 AM

Re: sudo setup

>>This will su them to root upon login into their account using sudo.

True, BUT it will NOT log any commands the are issued AFTER you become root.
0 Kudos
Autocross.US
Trusted Contributor

‎01-20-2009 11:40 AM

‎01-20-2009 11:40 AM

Re: sudo setup

/home/root/.sh_history will show all commands executed by root. If you want to show the activities of each user, add something like this to the .profile of root:

HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=50000
export HISTSIZE

This will create a history file for each user that becomes root with the date.

Also, for the above sudo commands to work, each user needs to be in the SU_ROOT_GROUP defined in /etc/default/security, if they aren't already.
I drive way too fast to worry about calories.
0 Kudos
Michael G Jaynes
Advisor

‎01-20-2009 11:50 AM

‎01-20-2009 11:50 AM

Re: sudo setup

Thank you for your responses.

We had a miss on our SOX audit last year since only two of us log into the machines. We both tend to log in with the root account. We have since started logging in with our user accounts and su-ing to root as needed. But we still are lacking proof that only the two of us are using the root account.

0 Kudos
Autocross.US
Trusted Contributor

‎01-20-2009 12:08 PM

‎01-20-2009 12:08 PM

Re: sudo setup

Proof can be found in /var/adm/sulog:

grep '[a-zA-Z0-9]-root' /var/adm/sulog
(shows everyone that became root)

Also, to show all sudo commands run as root:

grep "sudo.*USER=root" /var/adm/syslog/syslog.log

As long as these logs are archived for long period, i would think that would be proof enough. It has been for our security audits.

Do the auditors have any recommendations for correcting the finding? I'd be interested to know what they are.
I drive way too fast to worry about calories.
0 Kudos
Michael G Jaynes
Advisor

‎01-20-2009 01:46 PM

‎01-20-2009 01:46 PM

Re: sudo setup

Thanks guys, the combination of answers received I am able to get all the information I need in my development box. I will do a little more testing and will get this into production asap. Thank you for the responses.
0 Kudos
Michael G Jaynes
Advisor

‎01-20-2009 01:46 PM

‎01-20-2009 01:46 PM

Re: sudo setup

Combination of the history file, sudo setup and the sulog. Thank you
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.