How to Log everything command in a root-shell started by SUDO

dussel · 02-16-2006, 07:33 AM

Hallo all,

Do anyone know how I can log command used in a root shell?

Okay, I will be more precise, I have installed SUDO and no one can do a su or su - to root from a user-admin-account, all root access have to be with SUDO. SUDO log what you do in /var/log/secure but when you for example run sudo /bin/bash then the secure log say that the user have started bash only, not what commands that are used in this shell.
Help to get all commands that are used in the bash shell to be logged would be appreciated!

Thanks in advance!

Cheers

Jesper

jschiwal · 02-16-2006, 08:12 AM

I think that you want to write your sudoers file so that users of sudo can't run /bin/bash or command's that contain shell escapes.

dussel · 02-16-2006, 08:29 AM

No, that I allowed to do even that I would prefer such solution.

So, the what I want are to be able to log everything the admins do when they have sudo /bin/bash or other shell. I want to be able to see which command that are used and which of the admin accounts (or TTY) that have run the specific commands in their "sudo /bin/bash" shell.

Cheers

Jesper

jschiwal · 02-16-2006, 08:38 AM

An entry in sudoers like this would allow an admin to run any command but a shell. I don't think that you can have logging otherwise.

%group2 station1=ALL !SHELLS

nx5000 · 02-16-2006, 09:46 AM

its not a complete solution and you might find it awfull but you could trick sudo to call /usr/bin/script -c /bin/bash /var/log/sudobash."$(date).$$"

unSpawn · 02-16-2006, 10:04 AM

Have a look at rootsh. Alternatively you could patch Bash with extended logging, but rootsh should do in most cases.

dussel · 02-16-2006, 10:52 AM

Thanks unSpawn and nx5000 for the great help, and your solutions for my problem.
The rootsh program looks really nice, and by checking the info on the net it looks like the best way in the end.
I will also test the script alternative.

cheers

dussel · 02-17-2006, 04:33 AM

Rootsh is rally nice, but I can't figure out how to have it by default when someone sudo a shell.

What I mean is when a admin-user do "sudo bash" then the rootsh should start and log everything.

Cheers

Dussel

dussel · 02-17-2006, 08:25 AM

Okay, I found a solution for my problem to always run the rootsh and hopefully not possible to get around it and get root access without logging. It is maybe the not the nicest solution, but it works for our purposes.

What I did was to add rootsh in the /etc/shells and then changed in passwd for all user and set the default shell for them to rootsh instead of bash.

The good with this solution is that the logging start the second a intruder gets in on the server.

Now I only need to make shure that we are allowed by law to monitor these user accounts.

nx5000 · 02-17-2006, 09:06 AM

Quote:

Originally Posted by dussel

Now I only need to make shure that we are allowed by law to monitor these user accounts.

This may only help in case of prosecuting someone but don't take my answer as definitive, I'm not an expert in laws.

Quote:

***************************************************************************
NOTICE TO USERS

This computer system is the private property of dussel, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************

Its taken from bastille-linux, very good software also

bigrigdriver · 02-20-2006, 03:21 PM

In SuSE, every user (including root) has a hidden file in the user's (root's) home directory called .bash_history. It records shell commands, to the limit specified in your system setup.

You should be able to set up a cron job to copy those histories at intervals to a secure location of your choosing.

nx5000 · 02-21-2006, 01:58 AM

That would be possible but its far from being secure.
The user has only to issue

Code:

HISTFILE=

and nothing is recorded on bash exit

And before the exit, nothing is recorded to history file so the cron would record nothing.

unSpawn · 02-21-2006, 06:30 AM

HISTFILE=
Good remark. Also note that a similar "problem" can exist with other type of logging, even remote syslogging. But if you remote syslog then you at least have a partial audit trail starting at the point the user logged in (if you configured logging right and if they don't have access to the remote syslog server, OK). Any loss of syslogging after that doesn't matter anymore because you then know you've got an admin that needs to be "re-education" forcefully.

dussel · 02-21-2006, 09:47 AM

Quote:

Originally Posted by bigrigdriver

In SuSE, every user (including root) has a hidden file in the user's (root's) home directory called .bash_history. It records shell commands, to the limit specified in your system setup.

I know about the .bash_history, and unfortunatly is that file only list the commands, and in the end not so helpfull. What I win with the rootsh program are that I can see from with user they are comming from and I get a much better logging!

But thanks anway for the input!