LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-02-2017, 12:08 PM   #1
RHFanatic
LQ Newbie
 
Registered: Mar 2016
Posts: 3

Rep: Reputation: Disabled
Tracking changes in Sudoers


Hello members,

I would like to know if there is a way, in red-hat based systems, to know when /etc/sudoers has been changed, and what the change was. I've tried looking at audit.log but I'm not sure how to read that.

Thanks,
 
Old 02-03-2017, 05:36 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,236

Rep: Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451
when: you will always see the last modification time.
who: only root can modify that file.
what: I think by default linux does not do that, but you can have it: https://linux-audit.com/monitoring-l...modifications/
 
Old 02-03-2017, 06:01 AM   #3
RHFanatic
LQ Newbie
 
Registered: Mar 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Last modification time is not what I'm looking for because, .. well it's just when it was last modified, while I'm looking for an audit trail. Secure.log shows when "sudo" was executed so I figured since adding a sudoer is much more important I can find messages in a log somewhere. Audit shows me when for instance "visudo" was run but I can't know if the file was modified at that time.
 
Old 02-03-2017, 07:35 AM   #4
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,162

Rep: Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361
Look in to implementing sudoreplay that'll give you better logging of what was done within a sudo session.
 
Old 02-03-2017, 07:47 AM   #5
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,236

Rep: Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451
but actually I would restrict users to protect that file. sudo can be used to specify what is allowed for users.
 
Old 02-03-2017, 08:37 AM   #6
goumba
Senior Member
 
Registered: Dec 2009
Location: New Jersey, USA
Distribution: Current: Debian and OpenSUSE. Past: Arch, RedHat (pre-RHEL). FreeBSD & OpenBSD novice, Hackintosh
Posts: 1,193
Blog Entries: 7

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
I don't know of any tool off hand, but what about aliasing visudo to create your own logging?

Quick and dirty, untested, but just to give you an idea. Create the temp file wherever you wish (change what follows -P) but I figure /root if run as root will decrease the chances of it being read by those who shouldn't. While I'm sure this has its own security implications, this is just to get you pointed in some direction if you don't find a better solution.

Something like this in .bashrc:

Code:
function watch_sudo()
{
    tmp="$(mktemp -p ${HOME})"
    cp /etc/sudoers "${tmp}"
    \visudo
    diff "${tmp}" /etc/sudoers > "sudoers-$(date +%H%M-%Y%b%d).diff"
    rm -f "${tmp}"
}

alias visudo='watch_sudo'
Don't forget the backslash before the visudo in the function, or you'll learn the hard way about aliasing an existing application.

Last edited by goumba; 02-03-2017 at 08:40 AM. Reason: fixed quoting
 
Old 02-03-2017, 08:42 AM   #7
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,236

Rep: Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451
you ought to write /usr/sbin/visudo. in general this function can be easily deleted/removed by the users.
 
1 members found this post helpful.
Old 02-03-2017, 08:58 AM   #8
goumba
Senior Member
 
Registered: Dec 2009
Location: New Jersey, USA
Distribution: Current: Debian and OpenSUSE. Past: Arch, RedHat (pre-RHEL). FreeBSD & OpenBSD novice, Hackintosh
Posts: 1,193
Blog Entries: 7

Rep: Reputation: 335Reputation: 335Reputation: 335Reputation: 335
Quote:
Originally Posted by pan64 View Post
you ought to write /usr/sbin/visudo. in general this function can be easily deleted/removed by the users.
Well, like I said, likely has it's own concerns but I figure if the user's in a position to be editing this function in root's .bashrc then I would really need to be worrying about far greater things than if they're going to be removing this function.

And yeah I should have put /usr/bin/visudo but figured a free lesson in aliasing would be good too.

Last edited by goumba; 02-03-2017 at 09:00 AM.
 
Old 02-03-2017, 10:58 AM   #9
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,236

Rep: Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451Reputation: 5451
user do not need to edit root's .bashrc, (s)he can just override it (in the current shell) before usage (or simply execute visudo with full path). But anyway logging visudo instead of restricting access is not a good idea. A general sudo right is unsafe.

Last edited by pan64; 02-04-2017 at 11:14 AM. Reason: typo
 
1 members found this post helpful.
Old 02-07-2017, 08:37 AM   #10
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Well auditd is definitely the right tool to be using for logging user activity. One thing you could do is actually lock down the sudoers file with the immutable flag. That will make visudo automatically fail. Then if somebody were to remove the immutable flag, using your audit logs you could ask them to explain why.

#lsattr /etc/sudoers
---------------- /etc/sudoers
#chattr +i /etc/sudoers
#lsattr /etc/sudoers
----i----------- /etc/sudoers
#visudo
visudo: /etc/sudoers: Permission denied
visudo: /etc/sudoers: Permission denied
#chattr -i /etc/sudoers
#visudo
visudo: /etc/sudoers.tmp unchanged

just to note that this would leave /etc/sudoers.d open if it exists/is configured but my preference is to use /etc/sudoers.d anyway. Easier to repair if anybody breaks something.

Last edited by r3sistance; 02-07-2017 at 08:39 AM.
 
  


Reply

Tags
centos, log, sudo, sudoers


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sudoers Spartan@007 Linux - Newbie 6 12-07-2012 02:11 AM
[SOLVED] User not in sudoers: How to add user? Permtion Denied for sudoers file esgol Linux - Newbie 3 07-13-2012 07:44 AM
Fedora /etc/sudoers file and sudoers.d directory davejjj Linux - Newbie 2 10-21-2011 06:19 PM
Help with sudoers DrStrangepork Linux - Newbie 8 10-13-2009 07:53 AM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration