[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo logging

Mag Gam schrieb:
> We have many users at my university engineering lab. Some professors
> need commands for root and of other users, so we decided to setup sudo
> permissions. I was wondering if there is a way to log all commands
> when they sudo into an account or root account.
> I would like to even capture key strokes...

I only just read your posting so perhaps you already found what you're
looking for. But ...

We're doing somthing like this in /etc/sudoers:

Cmnd_Alias	SHELLS =	/bin/sh, \
				/bin/bash, \
				/bin/bash2, \
				/bin/ash, \
				/bin/ash.static, \
				/bin/bsh, \
				/bin/csh, \
				/bin/ksh, \
				/bin/tcsh, \
				/usr/bin/rsh, \
				/usr/local/bin/zsh, \
				/usr/bin/gnome-terminal, \

Cmnd_Alias	NOROOT =	!/bin/su -, \
				!/bin/su "", \
				!/bin/su - root, \
				!/bin/su root

Cmnd_Alias	SUDOSH =	/usr/bin/sudosh

Cmnd_Alias	BOOT =		/sbin/shutdown -h now, \
				/sbin/shutdown -r now

.. a lot of Cmnd_Alias definitions for different systems and services ..

# Defaults specification

# list of editors for use with sudoedit
Defaults editor=/bin/vi:/usr/bin/vim:/usr/bin/nedit:/usr/bin/nano:.....

Defaults        env_reset
Defaults	env_editor
Defaults	env_keep="PATH TERM DISPLAY EDITOR"
Defaults	env_check="PATH TERM DISPLAY EDITOR"


# Logging via syslog to a loghost and in case of violation mail to bofh
Defaults	syslog=local3, mailto="bofh@big.brother.com"


User_Alias	TRUSTED_USR =	<list of accounts or groups>

User_Alias	ALMOST_TRUSTED = <list of accounts or groups>

User_Alias	WATCH_ME =	<list of accounts or groups>




WATCH_ME     ALL = (root) /only/what/you/need/cmd, \
                          /and/little/more/cmd *


So you can define very detailed whom you trust. An what a user is
allowed to do. This covers almost all of our needs. But be aware that
sudo is very picky about paths, line ends, spaces after '\' at line ends
 and a lot more pitfalls.

But the most difficult part is to make the users understand, that they
DON'T want to be root. Because if they break things ....

If this is not enough for your environment, you will have to use sudosh.

It's a complete root-shell with a replay-log and timestamps and ...


We use it only for very special customers and I don't know how to
restrict sudosh...


Reply to: