LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-19-2009, 02:44 AM   #1
m1n
Member
 
Registered: Feb 2009
Posts: 33

Rep: Reputation: 15
sudosh not logging to syslog :((


Hi friends. Need help. I am using sudosh utility to log sudo commands. The problem i am facing right now is this: i can't see any syslog messages, just in sudosh log file. What am i donig wrong?

syslog.conf:

*.* /var/log/meassages

sudosh.conf

# Sudosh Configuration File
logdir = /var/log/sudosh
default shell = /bin/sh
delimiter = -
syslog.priority = LOG_ALERT
syslog.facility = LOG_LOCAL2

# Allow Sudosh to execute -c arguements? If so, what?
-c arg allow = scp
-c arg allow = rsync


So i see all in /var/log/sudosh, but nothing in /var/log/meassages. Syslogd is running and logs all other activity.
 
Old 08-19-2009, 03:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Did you configure the LOCAL2 slot in /etc/syslog.conf?
 
Old 08-19-2009, 04:13 AM   #3
m1n
Member
 
Registered: Feb 2009
Posts: 33

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Did you configure the LOCAL2 slot in /etc/syslog.conf?
How should i configure it? I think that *.* catches all messages, isn't it?
 
Old 08-19-2009, 04:24 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Sure but maybe try something like "local2.* -/var/log/sudosh/sudosh.log" (respecting tabs/spaces) while you're testing?
Also note Sudosh doesn't seem to be as maintained as Rootsh is.
 
Old 08-19-2009, 05:00 AM   #5
m1n
Member
 
Registered: Feb 2009
Posts: 33

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Sure but maybe try something like "local2.* -/var/log/sudosh/sudosh.log" (respecting tabs/spaces) while you're testing?
Also note Sudosh doesn't seem to be as maintained as Rootsh is.
thanks. But I am getting just this in sudosh.log:

Quote:
Aug 19 12:57:00 pornoserver sudosh: stopping session for milf_hunter as root
Aug 19 12:57:02 pornoserver sudosh: starting session for milf_hunter as root,/dev/pts/0 (/bin/bash)
there is no commands logged. I did cat /etc/passwd for example.
 
Old 08-19-2009, 05:34 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Can you confirm there are no other logs or session files in the /var/log/sudosh/ dir? Would you be willing to try 'rootsh'?
 
Old 08-19-2009, 05:40 AM   #7
m1n
Member
 
Registered: Feb 2009
Posts: 33

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
Can you confirm there are no other logs or session files in the /var/log/sudosh/ dir? Would you be willing to try 'rootsh'?
I confirm. I am just alone here. And i have to use sudosh (it-auditors want only sudosh). Can't you tell how to troubleshoot sudosh logging to syslog?
 
Old 08-19-2009, 05:56 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by m1n View Post
I am just alone here.
No, I mean that a|each|any session will ro could result in a separate session file. At least that's how it works with rootsh.


Quote:
Originally Posted by m1n View Post
i have to use sudosh (it-auditors want only sudosh).
You mean that those knowledgable people told you that it is preferable to use slightly deprecated software over slightly more maintained software? Odd. BTW, is this part of specific auditing (say PCI-DSS?) or any other official standard?


Quote:
Originally Posted by m1n View Post
Can't you tell how to troubleshoot sudosh logging to syslog?
I probably can but that would require me to install sudosh. meanwhile please post which version you use, what the configuration file looks like (please attach or use BB code tags), what your syslog.conf looks like and if you have ensured that you have respected tab or space usage, the permissions on the sudosh binary and the /var/log/sudosh/ dir and any details like if you run this in (any kind of) virtualization, shared hosting and other relevant details you think could help us speed up reproducing your problem.
 
Old 08-19-2009, 11:29 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
I installed Sudosh and the first thing that's wrong is that 'sudo sudosh -i' even when issued as root account user doesn't create the logdir as advertised. If the product were used and was maintained that probably would have been fixed years ago. I created it with octal mode 1770 for root and a non-root user group. Running 'sudosh' as unprivileged then resulted in creation of three files per session in logdir (w/o syslog usage): input, script and time. Adding Sudosh as Cmnd_Alias to /etc/sudoers, changing logdir ownership back to 0:0 and changing access mode to octal 0300 proves to be enough for logging any unprivilegeduser-to-root transitioning sessions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
syslog-ng -> syslog-ng logging, how to troubleshoot sir-lancealot Linux - Server 1 01-24-2009 07:07 AM
LXer: OpenLDAP Quick Tips: Using syslog or syslog-ng with slapd for OpenLDAP logging LXer Syndicated Linux News 0 11-14-2008 09:41 PM
syslog-ng is not logging coreno Linux - Software 4 09-08-2007 02:13 PM
Logging/syslog s0n|k Linux - Newbie 2 03-13-2006 08:36 PM
Logging firewall with syslog-ng? RecoilUK Linux - Security 1 08-06-2005 05:28 PM


All times are GMT -5. The time now is 04:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration