Re: Track activity of sudo users (937 Views)
Reply
Frequent Advisor
bharat satsangi
Posts: 39
Registered: ‎04-16-2009
Message 1 of 8 (937 Views)

Track activity of sudo users

Hi Champs,
There are lot of users in my system, they are not local users and does not exist in /etc/passwd. thay are vintella users and they have sudo rights. generally thay login with there id and become root by sudo su - root. now all the activity goes to root history file or in root environment so i m not able to trace which user has done what. need all your help to put a mechanism in place to track all these activity.

Thanks
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 8 (937 Views)

Re: Track activity of sudo users

Shalom,

sudo logs all transactions.

/var/adm/sulog

Pretty much all you have to do is log in and look at it. You might want to use a shell script to pretty up the results.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Acclaimed Contributor
James R. Ferguson
Posts: 21,184
Registered: ‎07-06-2000
Message 3 of 8 (937 Views)

Re: Track activity of sudo users

Hi:

By default, 'sudo' logs successful and unsuccessful activity in the 'syslog'. The '/var/adm/su' file applies to the 'su' command.

Regards!

...JRF...
Honored Contributor
Bill Hassell
Posts: 14,205
Registered: ‎05-29-2000
Message 4 of 8 (937 Views)

Re: Track activity of sudo users

> sudo su - root

This completely disables sudo logging capability. You need to disallow su for these users and tell them to use the command correctly:

sudo ioscan

In other words, they must type sudo for EVERY root command that they run. Once they start su - root, a new shell is started and sudo logs stop. This may irritate the users but root privilege is far to powerful to casually give to these non-sysadmins without restrictions. Personally, I would list only the root commands that are safe for these users and require them to call a trained sysadmin to run dangerous commands that affect disks and volume groups.
Frequent Advisor
bharat satsangi
Posts: 39
Registered: ‎04-16-2009
Message 5 of 8 (937 Views)

Re: Track activity of sudo users

I do agree, i can get /var/adm/su file and syslog files too. but these files will tell only the command which ran as sudo that means "sudo command" but if user becomes root by typing sudo su - root then sudo logs does not help. so i need to track these activity. i belive i can put some script some where, but dont know what script and where...?
Thanks again
Honored Contributor
Bill Hassell
Posts: 14,205
Registered: ‎05-29-2000
Message 6 of 8 (937 Views)

Re: Track activity of sudo users

> i belive i can put some script some where, but dont know what script and where...?

If you aren't going to disable su as an authorized command in sudo, then there's not much you can do. The decision to give non-sysadmins access to unrestricted sudo (and su) was misguided. If your systems are audited, they will fail due to unrestricted root access. Logging what the users did when they were root is too late. A single chmod -R or rm -rf * from an novice user can totally destroy the system. Good security has two purposes: Keep the bad guys out, and keep users from making very bad mistakes.
Trusted Contributor
Earl_Crowder
Posts: 76
Registered: ‎07-17-2001
Message 7 of 8 (937 Views)

Re: Track activity of sudo users

Hi,

I agree with Bill, full root access for the untrained admin is like giving everyone grenades and rocketlaunchers. Sooner or later, boom!

If they must have root access, first train them to use "sudo -i" instead of sudo su -. Same effect, they get a root shell. Also, using "sudo -i" will set an environment variable SUDO_USER that you can use in the root profile, perhaps like:

if [ -z "${SUDO_USER:-}" ] ; then
SUDO_USER=$(/usr/bin/logname)
fi
if [ -z "${SUDO_USER:-}" -o "${SUDO_USER:-}" = "root" ] ; then
export HISTFILE=~/.sh_history
else
export HISTFILE=/var/adm/histfile/history.${SUDO_USER}
fi
export HISTSIZE=10000
Frequent Advisor
bharat satsangi
Posts: 39
Registered: ‎04-16-2009
Message 8 of 8 (937 Views)

Re: Track activity of sudo users

I m not concern about user have the root access, and they can delete there logs.
i just want to trace there activity in a file like different file for different user.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.