0

I would always like to use the sudo command when operating as our "serveruser" so that all my actions are recorded in the sudo log and I can reverse engineer it later. I however do not want to type sudo -u serveruser everytime and would prefer not to create an alias. Is there a program or something where I can execute a shell such that every command I run is actually prefixing it with sudo -u serveruser instead so it feels like I am the user himself.

If so, I can set it up for all admins and they would not even really notice a difference and we get history logging for free with sudo logging.

EDIT: What I am looking for is these things

  1. very simple setup (our sudo is already setup except this sudo like shell that would be nice)
  2. logs timestamp
  3. logs user executing command (ie. possibly me, dean in this case)
  4. logs the user they executed the command as (ie. serveruser in this case)
  5. logs the actual command

sudo does 2-5 out of the box but I am trying to figure out #1 for users as we(people on this team) do not want to be typing sudo all the time :(.

EDIT: Maybe there is a way to suck in stdin and stdout in bash to write a script so one could call sudoshell -u username and any commands I type in on stdin except "exit" are then run with sudo -u username. Is there a way to have a script like this instead that all our admins can run? and then when someone runs sudo su - I can log a message to run that shell instead as follows....that would work very well. Any idea how to do that?

thanks, Dean

Dean Hiller
  • 911
  • 4
  • 15
  • 35

2 Answers2

3

What you are looking for is an audit trail. Sudo would provide it (with limitations), but there are other ways to accomplish it.

If you just need recorded what has been typed into the shell and do not feel like installing additional software packages, bash 4 can be configured for logging the history through syslog.

You also could choose from the available lot of audit packages. A quick & simple solution could be the Snoopy logger.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • I am not sure either does what I desire. If someone sudo su - serveruser, all commands are then logged as serveruser and I can't tell if it was joe or tom that ran those commands anymore. sudo keeps all that information of who ran what, what user they ran the command as and the command itself and the timestamp. – Dean Hiller Dec 21 '12 at 14:29
  • @DeanHiller feel free to evaluate any alternatives. `psacct` for example is more sophisticated and comes with a number of utilities helping you to evaluate the logs. Or a shell wrapper like "rootsh" which is rather configurable in terms of what it can log where. I might be wrong, but it seems like what you are really asking is accounting within a role-based access control environment. This would be something like SELinux with Auditing for execve-syscalls enabled. – the-wabbit Dec 21 '12 at 15:29
  • hmmmmm, rootsh may be what I want and I can try doing sudo -u user rootsh as well...thanks. – Dean Hiller Dec 21 '12 at 18:37
  • Would bash 4 continue to send through syslog if I ran `/bin/sh`? When a cracker obtains a compromised account, they often run `/bin/sh` first thing. – Stefan Lasiewski Dec 22 '12 at 19:09
  • @StefanLasiewski No, the bash logging is limited to bash. Running a subshell would break it, so the logging would depend on the admins being non-malicious. This is where the audit packages show a different approach - they usually intercept execve syscalls (this is what ends up being called to spawn any new process) and thus can log their parameters regardless of what the caller is doing. Another approach as sudosh, which was suggested in your answer and just records everything that has been provided as the input to the terminal, would have its own set of advantages and disadvantages. – the-wabbit Dec 23 '12 at 08:06
2

I would always like to use the sudo command when operating as our "serveruser" so that all my actions are recorded in the sudo log and I can reverse engineer it later.

It sounds like you want to log all sudo commands, so that you can audit it later.

You should take a look at sudosh2. Here is the description:

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR.

For example: User joe logs into the system, and types sudo sudosh and is granted superuser privileges. After this point, all input & output is logged. Logs go to a file, or are sent via syslog to your central syslog server (where they cannot be erased). You can replay the logs and see exactly what people typed (You can even see typos, backspaces, etc.) and the output.

It may not fit the need for all of your requirements, but it sounds like you are open to similar options.

For more detail, please see my other answer to Log every command executed from root.

Community
  • 1
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186