Logging all commands after a sudo su- - UNIX for Advanced & Expert Users

linuxmtl · #1 11-07-2002

Hi there,

It might seem tricky, I confess.

We use sudo to allow people to initiate priviledged commands (but not all commands) on our Unix systems.

To by pass this, some people initiate the sudo su - command ;

The main issue is to 'know' what those people do when they gain root access.

Is there a way to have a log of all commands done by a user whent they have gained root access? This way, we could at least know what they do.

Regards,

Neo · #2 11-07-2002

Logging commands is a part of many packages, including ACL extensions. Your question is too general because you did not specify the OS.

Also, try the logfile options available in the sudoers configuration file and see if there is anything there to help you.

If you restrict the sudo configuration to a bare minimum number of commands per user, you should be ok with standard sudoers logging.

Code:

man sudoers

In other words, you should not give sudoers permission to use vi.

This is discussed in the sudo man page:

Quote:

CAVEATS
There is no easy way to prevent a user from gaining a root shell if that user has access to commands allowing shell escapes.

If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' elements in the user specification.

Running shell scripts via sudo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS supports the /dev/fd/ directory, setuid shell scripts are generally safe).

So... don't give users permissions to programs that allow shell escapes...... Heck, on our systems, no one is allowed to sudo... and if they were, they would be given very limited command privs.... (certainly not vi !)

... and not su

Captain Kirk · #3 11-07-2002

Quote:

Originally posted by linuxmtl
To by pass this, some people initiate the sudo su - command ;

If people can do that then why do they need sudo? I suggest you look at sudoers carefully and set it up correctly so that cannot happen.

linuxmtl · #4 11-11-2002

We use Solaris OS here.

Some of our sudoers have found that they can just enter ;

sudo su -

So they become root.

What bothers us more is the fact that when they have done so they is now way we can trace back each command a user as done while they are root.

I am looking for a way to permit some users do become root (sudo su - or simply su) if we can trace what they do while they are root.

Is this possible?

Regards,

Neo · #5 11-11-2002

Yes, you need to configure the sudoers configuration file and restrict what users do and how they are logged.

You have NOT discovered a 'back door' you have SIMPLY not configured sudo and sudoers properly. (see post above).

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
sudo, or not sudo: that is the question	iBot	UNIX and Linux RSS News	1	02-07-2008 10:40 AM
Logging commands and output	soliberus	SUN Solaris	3	10-25-2007 03:30 AM
code that reads commands from the standard i/p and executes the commands	Phrozen Smoke	High Level Programming	4	01-21-2007 11:06 PM
sudo logging + NFS hang?	neked	UNIX for Dummies Questions & Answers	1	03-14-2005 06:48 AM
Sudo	reddyb	UNIX for Dummies Questions & Answers	1	08-23-2001 01:15 PM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode