Re: sudo logging

Wed, 22 Jul 2009 06:15:35 -0700 

Mag Gam schrieb:
> We have many users at my university engineering lab. Some professors
> need commands for root and of other users, so we decided to setup sudo
> permissions. I was wondering if there is a way to log all commands
> when they sudo into an account or root account.
> 
> I would like to even capture key strokes...
> 
> 
> TIA
> 
> 

I only just read your posting so perhaps you already found what you're
looking for. But ...


We're doing somthing like this in /etc/sudoers:


Cmnd_Alias      SHELLS =        /bin/sh, \
                                /bin/bash, \
                                /bin/bash2, \
                                /bin/ash, \
                                /bin/ash.static, \
                                /bin/bsh, \
                                /bin/csh, \
                                /bin/ksh, \
                                /bin/tcsh, \
                                /usr/bin/rsh, \
                                /usr/local/bin/zsh, \
                                /usr/bin/gnome-terminal, \
                                /usr/bin/xterm


Cmnd_Alias      NOROOT =        !/bin/su -, \
                                !/bin/su "", \
                                !/bin/su - root, \
                                !/bin/su root

Cmnd_Alias      SUDOSH =        /usr/bin/sudosh


Cmnd_Alias      BOOT =          /sbin/shutdown -h now, \
                                /sbin/shutdown -r now

.. a lot of Cmnd_Alias definitions for different systems and services ..


# Defaults specification

# list of editors for use with sudoedit
Defaults editor=/bin/vi:/usr/bin/vim:/usr/bin/nedit:/usr/bin/nano:.....

Defaults        env_reset
Defaults        env_editor
Defaults        env_keep="PATH TERM DISPLAY EDITOR"
Defaults        env_check="PATH TERM DISPLAY EDITOR"

.....


# Logging via syslog to a loghost and in case of violation mail to bofh
Defaults        syslog=local3, mailto="b...@big.brother.com"

....



User_Alias      TRUSTED_USR =   <list of accounts or groups>

User_Alias      ALMOST_TRUSTED = <list of accounts or groups>

User_Alias      WATCH_ME =      <list of accounts or groups>

....

#
TRUSTED_USR  ALL = NOPASSWD:    ALL ,!SHELLS, NOROOT

ALMOST_TRUSTED ALL = (root) SUDOSH

WATCH_ME     ALL = (root) /only/what/you/need/cmd, \
                          /and/little/more/cmd *


....



So you can define very detailed whom you trust. An what a user is
allowed to do. This covers almost all of our needs. But be aware that
sudo is very picky about paths, line ends, spaces after '\' at line ends
 and a lot more pitfalls.

But the most difficult part is to make the users understand, that they
DON'T want to be root. Because if they break things ....

If this is not enough for your environment, you will have to use sudosh.

It's a complete root-shell with a replay-log and timestamps and ...

http://sourceforge.net/projects/sudosh
http://en.wikipedia.org/wiki/Sudosh

We use it only for very special customers and I don't know how to
restrict sudosh...


Berthold






-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to