HPE Community
Operating System - HP-UX
1819805 Members
3010 Online
109607 Solutions
New Discussion юеВ

Track activity of sudo users

 
bharat satsangi
Frequent Advisor

тАО06-02-2011 08:39 AM

тАО06-02-2011 08:39 AM

Track activity of sudo users

Hi Champs,
There are lot of users in my system, they are not local users and does not exist in /etc/passwd. thay are vintella users and they have sudo rights. generally thay login with there id and become root by sudo su - root. now all the activity goes to root history file or in root environment so i m not able to trace which user has done what. need all your help to put a mechanism in place to track all these activity.

Thanks
0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

тАО06-02-2011 03:27 PM

тАО06-02-2011 03:27 PM

Re: Track activity of sudo users

Shalom,

sudo logs all transactions.

/var/adm/sulog

Pretty much all you have to do is log in and look at it. You might want to use a shell script to pretty up the results.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО06-02-2011 04:12 PM

тАО06-02-2011 04:12 PM

Re: Track activity of sudo users

Hi:

By default, 'sudo' logs successful and unsuccessful activity in the 'syslog'. The '/var/adm/su' file applies to the 'su' command.

Regards!

...JRF...
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО06-02-2011 06:08 PM

тАО06-02-2011 06:08 PM

Re: Track activity of sudo users

> sudo su - root

This completely disables sudo logging capability. You need to disallow su for these users and tell them to use the command correctly:

sudo ioscan

In other words, they must type sudo for EVERY root command that they run. Once they start su - root, a new shell is started and sudo logs stop. This may irritate the users but root privilege is far to powerful to casually give to these non-sysadmins without restrictions. Personally, I would list only the root commands that are safe for these users and require them to call a trained sysadmin to run dangerous commands that affect disks and volume groups.


Bill Hassell, sysadmin
0 Kudos
Reply
bharat satsangi
Frequent Advisor

тАО06-03-2011 04:00 AM

тАО06-03-2011 04:00 AM

Re: Track activity of sudo users

I do agree, i can get /var/adm/su file and syslog files too. but these files will tell only the command which ran as sudo that means "sudo command" but if user becomes root by typing sudo su - root then sudo logs does not help. so i need to track these activity. i belive i can put some script some where, but dont know what script and where...?
Thanks again
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО06-03-2011 05:31 AM

тАО06-03-2011 05:31 AM

Re: Track activity of sudo users

> i belive i can put some script some where, but dont know what script and where...?

If you aren't going to disable su as an authorized command in sudo, then there's not much you can do. The decision to give non-sysadmins access to unrestricted sudo (and su) was misguided. If your systems are audited, they will fail due to unrestricted root access. Logging what the users did when they were root is too late. A single chmod -R or rm -rf * from an novice user can totally destroy the system. Good security has two purposes: Keep the bad guys out, and keep users from making very bad mistakes.


Bill Hassell, sysadmin
0 Kudos
Reply
Earl_Crowder
Trusted Contributor

тАО06-03-2011 05:43 AM

тАО06-03-2011 05:43 AM

Re: Track activity of sudo users

Hi,

I agree with Bill, full root access for the untrained admin is like giving everyone grenades and rocketlaunchers. Sooner or later, boom!

If they must have root access, first train them to use "sudo -i" instead of sudo su -. Same effect, they get a root shell. Also, using "sudo -i" will set an environment variable SUDO_USER that you can use in the root profile, perhaps like:

if [ -z "${SUDO_USER:-}" ] ; then
SUDO_USER=$(/usr/bin/logname)
fi
if [ -z "${SUDO_USER:-}" -o "${SUDO_USER:-}" = "root" ] ; then
export HISTFILE=~/.sh_history
else
export HISTFILE=/var/adm/histfile/history.${SUDO_USER}
fi
export HISTSIZE=10000
0 Kudos
Reply
bharat satsangi
Frequent Advisor

тАО06-06-2011 05:08 AM

тАО06-06-2011 05:08 AM

Re: Track activity of sudo users

I m not concern about user have the root access, and they can delete there logs.
i just want to trace there activity in a file like different file for different user.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.