Re: sudo logging
Mag Gam schrieb:
> We have many users at my university engineering lab. Some professors
> need commands for root and of other users, so we decided to setup sudo
> permissions. I was wondering if there is a way to log all commands
> when they sudo into an account or root account.
>
> I would like to even capture key strokes...
>
>
> TIA
>
>
I only just read your posting so perhaps you already found what you're
looking for. But ...
We're doing somthing like this in /etc/sudoers:
Cmnd_Alias SHELLS = /bin/sh, \
/bin/bash, \
/bin/bash2, \
/bin/ash, \
/bin/ash.static, \
/bin/bsh, \
/bin/csh, \
/bin/ksh, \
/bin/tcsh, \
/usr/bin/rsh, \
/usr/local/bin/zsh, \
/usr/bin/gnome-terminal, \
/usr/bin/xterm
Cmnd_Alias NOROOT = !/bin/su -, \
!/bin/su "", \
!/bin/su - root, \
!/bin/su root
Cmnd_Alias SUDOSH = /usr/bin/sudosh
Cmnd_Alias BOOT = /sbin/shutdown -h now, \
/sbin/shutdown -r now
.. a lot of Cmnd_Alias definitions for different systems and services ..
# Defaults specification
# list of editors for use with sudoedit
Defaults editor=/bin/vi:/usr/bin/vim:/usr/bin/nedit:/usr/bin/nano:.....
Defaults env_reset
Defaults env_editor
Defaults env_keep="PATH TERM DISPLAY EDITOR"
Defaults env_check="PATH TERM DISPLAY EDITOR"
.....
# Logging via syslog to a loghost and in case of violation mail to bofh
Defaults syslog=local3, mailto="bofh@big.brother.com"
....
User_Alias TRUSTED_USR = <list of accounts or groups>
User_Alias ALMOST_TRUSTED = <list of accounts or groups>
User_Alias WATCH_ME = <list of accounts or groups>
....
#
TRUSTED_USR ALL = NOPASSWD: ALL ,!SHELLS, NOROOT
ALMOST_TRUSTED ALL = (root) SUDOSH
WATCH_ME ALL = (root) /only/what/you/need/cmd, \
/and/little/more/cmd *
....
So you can define very detailed whom you trust. An what a user is
allowed to do. This covers almost all of our needs. But be aware that
sudo is very picky about paths, line ends, spaces after '\' at line ends
and a lot more pitfalls.
But the most difficult part is to make the users understand, that they
DON'T want to be root. Because if they break things ....
If this is not enough for your environment, you will have to use sudosh.
It's a complete root-shell with a replay-log and timestamps and ...
http://sourceforge.net/projects/sudosh
http://en.wikipedia.org/wiki/Sudosh
We use it only for very special customers and I don't know how to
restrict sudosh...
Berthold
Reply to: