LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-16-2006, 07:33 AM   #1
dussel
Member
 
Registered: Dec 2004
Distribution: SuSE 9.X, SuSE 10, SLES 9,RedHat, Feodora Gentoo, Solaris, and more
Posts: 50

Rep: Reputation: 15
Question How to Log everything command in a root-shell started by SUDO


Hallo all,

Do anyone know how I can log command used in a root shell?

Okay, I will be more precise, I have installed SUDO and no one can do a su or su - to root from a user-admin-account, all root access have to be with SUDO. SUDO log what you do in /var/log/secure but when you for example run sudo /bin/bash then the secure log say that the user have started bash only, not what commands that are used in this shell.
Help to get all commands that are used in the bash shell to be logged would be appreciated!

Thanks in advance!

Cheers

Jesper
 
Old 02-16-2006, 08:12 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I think that you want to write your sudoers file so that users of sudo can't run /bin/bash or command's that contain shell escapes.
 
Old 02-16-2006, 08:29 AM   #3
dussel
Member
 
Registered: Dec 2004
Distribution: SuSE 9.X, SuSE 10, SLES 9,RedHat, Feodora Gentoo, Solaris, and more
Posts: 50

Original Poster
Rep: Reputation: 15
No, that I allowed to do even that I would prefer such solution.

So, the what I want are to be able to log everything the admins do when they have sudo /bin/bash or other shell. I want to be able to see which command that are used and which of the admin accounts (or TTY) that have run the specific commands in their "sudo /bin/bash" shell.

Cheers

Jesper
 
Old 02-16-2006, 08:38 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
An entry in sudoers like this would allow an admin to run any command but a shell. I don't think that you can have logging otherwise.

%group2 station1=ALL !SHELLS
 
Old 02-16-2006, 09:46 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
its not a complete solution and you might find it awfull but you could trick sudo to call /usr/bin/script -c /bin/bash /var/log/sudobash."$(date).$$"

 
Old 02-16-2006, 10:04 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
Have a look at rootsh. Alternatively you could patch Bash with extended logging, but rootsh should do in most cases.
 
Old 02-16-2006, 10:52 AM   #7
dussel
Member
 
Registered: Dec 2004
Distribution: SuSE 9.X, SuSE 10, SLES 9,RedHat, Feodora Gentoo, Solaris, and more
Posts: 50

Original Poster
Rep: Reputation: 15
Thanks unSpawn and nx5000 for the great help, and your solutions for my problem.
The rootsh program looks really nice, and by checking the info on the net it looks like the best way in the end.
I will also test the script alternative.

cheers
 
Old 02-17-2006, 04:33 AM   #8
dussel
Member
 
Registered: Dec 2004
Distribution: SuSE 9.X, SuSE 10, SLES 9,RedHat, Feodora Gentoo, Solaris, and more
Posts: 50

Original Poster
Rep: Reputation: 15
Rootsh is rally nice, but I can't figure out how to have it by default when someone sudo a shell.

What I mean is when a admin-user do "sudo bash" then the rootsh should start and log everything.

Cheers

Dussel
 
Old 02-17-2006, 08:25 AM   #9
dussel
Member
 
Registered: Dec 2004
Distribution: SuSE 9.X, SuSE 10, SLES 9,RedHat, Feodora Gentoo, Solaris, and more
Posts: 50

Original Poster
Rep: Reputation: 15
Okay, I found a solution for my problem to always run the rootsh and hopefully not possible to get around it and get root access without logging. It is maybe the not the nicest solution, but it works for our purposes.

What I did was to add rootsh in the /etc/shells and then changed in passwd for all user and set the default shell for them to rootsh instead of bash.

The good with this solution is that the logging start the second a intruder gets in on the server.

Now I only need to make shure that we are allowed by law to monitor these user accounts.
 
Old 02-17-2006, 09:06 AM   #10
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Quote:
Originally Posted by dussel
Now I only need to make shure that we are allowed by law to monitor these user accounts.
This may only help in case of prosecuting someone but don't take my answer as definitive, I'm not an expert in laws.


Quote:
***************************************************************************
NOTICE TO USERS


This computer system is the private property of dussel, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************
Its taken from bastille-linux, very good software also
 
Old 02-20-2006, 03:21 PM   #11
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian Squeeze
Posts: 5,768

Rep: Reputation: 307Reputation: 307Reputation: 307Reputation: 307
In SuSE, every user (including root) has a hidden file in the user's (root's) home directory called .bash_history. It records shell commands, to the limit specified in your system setup.

You should be able to set up a cron job to copy those histories at intervals to a secure location of your choosing.
 
Old 02-21-2006, 01:58 AM   #12
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
That would be possible but its far from being secure.
The user has only to issue
Code:
HISTFILE=
and nothing is recorded on bash exit

And before the exit, nothing is recorded to history file so the cron would record nothing.
 
Old 02-21-2006, 06:30 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,172
Blog Entries: 54

Rep: Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809Reputation: 2809
HISTFILE=
Good remark. Also note that a similar "problem" can exist with other type of logging, even remote syslogging. But if you remote syslog then you at least have a partial audit trail starting at the point the user logged in (if you configured logging right and if they don't have access to the remote syslog server, OK). Any loss of syslogging after that doesn't matter anymore because you then know you've got an admin that needs to be "re-education" forcefully.
 
Old 02-21-2006, 09:47 AM   #14
dussel
Member
 
Registered: Dec 2004
Distribution: SuSE 9.X, SuSE 10, SLES 9,RedHat, Feodora Gentoo, Solaris, and more
Posts: 50

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by bigrigdriver
In SuSE, every user (including root) has a hidden file in the user's (root's) home directory called .bash_history. It records shell commands, to the limit specified in your system setup.
I know about the .bash_history, and unfortunatly is that file only list the commands, and in the end not so helpfull. What I win with the rootsh program are that I can see from with user they are comming from and I get a much better logging!

But thanks anway for the input!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't perform root command by using Sudo acbenny Linux - General 6 05-07-2008 08:19 PM
allow sudo for www user to run root shell script cccc *BSD 12 07-23-2005 03:48 PM
Log in screen bypassed when computer is started. clamjaphry Linux - Software 1 10-20-2004 03:28 PM
Help...Can only log in as root after this command ScreeminChikin Linux - General 5 11-12-2002 08:20 PM
When does sudo.log archive itself? mmboam Linux - General 1 04-24-2001 12:40 AM


All times are GMT -5. The time now is 07:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration