Re: sudo logging

To: Mag Gam <magawake@gmail.com>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: sudo logging
From: Berthold Cogel <cogel@uni-koeln.de>
Date: Wed, 22 Jul 2009 13:55:51 +0200
Message-id: <[🔎] 4A66FE47.8020406@uni-koeln.de>
In-reply-to: <1cbd6f830906101657q8212a84r609d8577ef6b5ed@mail.gmail.com>
References: <1cbd6f830906101657q8212a84r609d8577ef6b5ed@mail.gmail.com>

Mag Gam schrieb:
> We have many users at my university engineering lab. Some professors
> need commands for root and of other users, so we decided to setup sudo
> permissions. I was wondering if there is a way to log all commands
> when they sudo into an account or root account.
> 
> I would like to even capture key strokes...
> 
> 
> TIA
> 
> 

I only just read your posting so perhaps you already found what you're
looking for. But ...


We're doing somthing like this in /etc/sudoers:


Cmnd_Alias	SHELLS =	/bin/sh, \
				/bin/bash, \
				/bin/bash2, \
				/bin/ash, \
				/bin/ash.static, \
				/bin/bsh, \
				/bin/csh, \
				/bin/ksh, \
				/bin/tcsh, \
				/usr/bin/rsh, \
				/usr/local/bin/zsh, \
				/usr/bin/gnome-terminal, \
				/usr/bin/xterm


Cmnd_Alias	NOROOT =	!/bin/su -, \
				!/bin/su "", \
				!/bin/su - root, \
				!/bin/su root

Cmnd_Alias	SUDOSH =	/usr/bin/sudosh


Cmnd_Alias	BOOT =		/sbin/shutdown -h now, \
				/sbin/shutdown -r now

.. a lot of Cmnd_Alias definitions for different systems and services ..


# Defaults specification

# list of editors for use with sudoedit
Defaults editor=/bin/vi:/usr/bin/vim:/usr/bin/nedit:/usr/bin/nano:.....

Defaults        env_reset
Defaults	env_editor
Defaults	env_keep="PATH TERM DISPLAY EDITOR"
Defaults	env_check="PATH TERM DISPLAY EDITOR"

.....


# Logging via syslog to a loghost and in case of violation mail to bofh
Defaults	syslog=local3, mailto="bofh@big.brother.com"

....



User_Alias	TRUSTED_USR =	<list of accounts or groups>

User_Alias	ALMOST_TRUSTED = <list of accounts or groups>

User_Alias	WATCH_ME =	<list of accounts or groups>

....

#
TRUSTED_USR  ALL = NOPASSWD:	ALL ,!SHELLS, NOROOT

ALMOST_TRUSTED ALL = (root) SUDOSH

WATCH_ME     ALL = (root) /only/what/you/need/cmd, \
                          /and/little/more/cmd *


....



So you can define very detailed whom you trust. An what a user is
allowed to do. This covers almost all of our needs. But be aware that
sudo is very picky about paths, line ends, spaces after '\' at line ends
 and a lot more pitfalls.

But the most difficult part is to make the users understand, that they
DON'T want to be root. Because if they break things ....

If this is not enough for your environment, you will have to use sudosh.

It's a complete root-shell with a replay-log and timestamps and ...

http://sourceforge.net/projects/sudosh
http://en.wikipedia.org/wiki/Sudosh

We use it only for very special customers and I don't know how to
restrict sudosh...


Berthold

Reply to:

Follow-Ups:
- Re: sudo logging
  - From: Scott Gifford <sgifford@suspectclass.com>

Prev by Date: Re: FATAL: Could not load /lib/modules/2.6.26-2-amd64/modules.dep: No such file or directory
Next by Date: Re: Maintaining personal backports
Previous by thread: Re: liable NIC for kernel 2.6.18
Next by thread: Re: sudo logging
Index(es):
- Date
- Thread