sudo Logging

sudo logging

Enabling sudo logging in CentOS.

As mentioned in the introduction to sudo, the sudo command logs which users run what commands. Logging does not occur automatically. You need to set up sudo and syslogd to log commands. This involves two steps. First, you must create a sudo logfile in /var/log. Second, you must configure syslog.conf to log sudo commands. To configure sudo logging, follow these steps:


  1. Log on as root. Create a sudo log file in /var/log. Enter:
    touch /var/log/sudo
  2. Next, you need to add a line in the syslog.conf file to direct logging to your sudo logging file. Open syslog.conf by entering the following:
    vi /etc/syslog.conf
  3. Enter the following line at the end of the syslog.conf file (press i to insert text). The whitespace must be created using TAB, not the SPACE BAR.
    local2.debug /var/log/sudo
  4. This syslog.conf entry logs all successful and unsuccessful sudo commands to the /var/log/sudo file. You can also log to a network host by indicating the network host instead of a local directory.
  5. Press ESC to write and quit the file, and enter wq at the colon.
  6. Since you have modified the syslog.conf file, you need to restart syslogd. To send a HUP signal to syslogd, you must first know this sylogd process identifier (PID). To find the syslogd PID, type:
    ps aux | grep syslogd
  7. The second column lists the PID number. The last column lists the process using that PID. This is the information you need to enter the appropriate kill command and restart syslogd. Type:
    kill -HUP (PID NUMBER)
  8. First, you will generate log entries for user chris. Log on as user chris.
  9. Enter the following ifconfig commands while logged on as user chris:
    sudo -lsudo /sbin/ifconfig eth0 down
    sudo /sbin/ifconfig etho up
  10. Restart one of the httpd proceesses 9or another process of your choice) using the kill command by entering:
    ps aux | grep httpd
  11. Choose an Apache (httpd) PID from the list that appears. Enter:
    sudo kill -HUP (PID NUMBER)
  12. Now list the root user directory as user chris. Enter:
    sudo ls /root
  13. Log on as root and view the sudo log file. All the sudo commands that chris entered should be listed.
  14. You can log any root commands by simply typing sudo before each command. For example, make sure that you afre logged on as root and enter the following commands:
    sudo useradd bessie
    sudo passwd bessie
    sudo vi /hosts
  15. Access and view the sudo log by entering:
    sudo cat /var/log/sudo
    All root user entries are logged, including the cat command you just entered.

Obviously, sudo is very helpful for controlling an auditing root access. It allows a system administrator to distribute root access without giving out the root password. An administrator can control what root access is needed for each user, and can customize system access based on those needs.


External Links:

Introduction to sudo at linux.com

Running sudo: Examples

using sudo

The sudo command in action under CentOS. sudo -l shows the commands user chris is allowed to run as root.

In the previous article, we configured sudo to allow user chris root privileges for the ifconfig, kill and ls commands. If chris wants to run these commands, he must first enter the sudo command, and then his password. To see if it works, do the following:

  1. Log in as user chris.
  2. To find out what commands chris has root access to, enter this:
    sudo -l
  3. If this is your first time running sudo as user chris, a warning will display:
    We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things.
    #1) Respect the privacy of others.
    #2) Think before you type.
     #3) With great power comes great responsibility.
  4. A password prompt appears. Do not enter the root password. Enter chris’s password.
  5. The commands that chris is allowed to run on this host are listed.
  6. To test your sudo configuration, you can run an ifconfig option that requires root permission without using sudo. Enter:
    /sbin/ifconfig eth0 down
    Permission is denied beceause chris is not allowed to deactivate the system’s eth0 interface.
  7. To deactivate the interface, chris must use sudo. Enter:
    sudo /sbin/ifconfig eth0 down
    You will be successful. Please note that sudo will ask for chris’s password if chris’s ticket has expired (the default is five minutes). If you run this command within five minutes from the last time, you will not be prompted for a password.
  8. Reactivate the interface by typing:
    sudo /sbin/ifconfig eth0 up
  9. Next, restart one of the httpd processes using the kill command by entering:
    ps aux | grep httpd
  10. Choose an Apache PID from the list that appears (if Apache is not installed, select a different service process to restart). Enter:
    kill -HIP (PID NUMBER)
  11. You are not allowed to restart the httpd process because you are not root.
  12. Instead, use sudo to run the command as root by entering:
    sudo kill -HUP (PID NUMBER)
    You should be successful.

  13. Next, list the root directory as chris using the ls command. Enter:
    ls /root
    Permission is denied because you are not root.
  14. Again, use sudo to run the command as root:
    sudo ls /root
    Permission is granted and the root user’s directory is displayed.
  15. To expire chris’s timestamp, enter the command sudo -k. Chris will have to enter a password the next time he uses sudo.




External Links:

ifconfig at Wikipedia
kill at Wikipedia
ls at Wikipedia

sudo: Options and Configuration

sudo configurationIn order to use sudo, the user must have already supplied a username and password. If a user attempts to run the command via sudo and that user is not in the sudoers file (at /etc/sudoers), an e-mail is automatically sent to the administrator, indicating that an unauthorized user is accessing the system.

Once a user logs in to sudo, a ticket is issued that is valid by default for five minutes. A user can update the ticket by issuing the -v falg, which will validate the ticket for another five minutes. To do this, type the following:

sudo -v

If an unauthorized user runs the -v flag, an e-mail will not be sent to the administrator. The -v flag informs the unauthorized user that they are not a valid user. If the user enters a command via sudo anyway, an e-mail will then be sent to the administrator.


sudo logs login attempts, successful and unsuccessful, to the syslog file by default. However, this can be changed during sudo configuration. sudo also has several command line options, such as the following:

  • -V: Version; prints version number and exits
  • -l: List; lists the commands that are allowed and denied by the current user
  • -h: Help; prints usage message and exits
  • -v: Validate; updates the user’s ticket for a configured amount of time (the default is five minutes). If required, the user must re-enter the user password to update the ticket
  • -k: Kill; expires the user’s ticket. Completing this option requires the user to re-enter the user password to update the ticket
  • -K: Sure kill; removes the user’s ticket entirely. User must log in with username and password after running this option
  • -u: User; runs the specific command as the username specified. The user specified can be any user except root. If you want to enter a uid, enter #uid instead of the username

Configuring sudo

To configure sudo, you must edit the /etc/sudoers file. The sudoers file defines which users are allowed to execute what commands. Only the root user is allowed to edit the file, and it must be edited with the visudo command. By default, the visudo command opens the sudoers file in the vi text editor. The vi commands are used to edit and write the file. You can change the default text editor used by visudo using the compile time option. Visudo uses the EDITOR environment variable. The visudo command performs the following tasks when editing the sudoers file:

  • Visudo will not save any changes if a syntax error exists. It will state the line number of the error and prompt you for guidance.
  • If you attempt to run visudo while the sudoers file is being edited, you will receive an error message telling you to try again at a later time.

The sudoers file consists of two different types of entries, user specifications and aliases. The following examples show you to use user specifications, which define which user is allowed to run what commands. Aliases are basically variables.


style=”display:inline-block;width:180px;height:90px”
data-ad-client=”ca-pub-8834983181171783″
data-ad-slot=”8138242896″>
//

The sudoers file contains a root entry. The user privilege specification is listed as:

root ALL=(ALL) ALL

This configuration allows the root user to issue all commands. To allow other users to run commands as root, you must enter those users in the sudoers file. You must also list the host on which they are allowed to run the commands. Finally, you must list the specific commands that those users are allowed to run as root. As an example, imagine we have a user called chris and we want to allow him to run some commands as root.

First, we open the sudoers file using the visudo command. The sudoers file will now open in vi. Locate the “User privileges specification” section. After the root entry, enter the following:

chris your-hostname = /sbin/ifconfig, /bin/kill, /bin/ls

[This will allow user chris to run the ifconfig, kill and ls commands as root. NOTE: Depending on your implementation of Linux/Unix, you may have to add your default shell to the list of commands user chris can execute as root; e.g. /bin/bash.] Press ESC, then enter wq at the to write and quit the file. Now, if you have not already, you have to create user chris. To do this, enter:

useradd chris

To create a password of user chris, enter:

passwd chris

Then enter the password when prompted. Now, you should have a user chris on your system that can run ifconfig, kill and ls as root.


External links:

The sudo project page

sudo: An Introduction

sudo

Invoking sudo at the command line in CentOS.

Superuser Do (sudo) is an open source security tool that allows an administrator to give specific users or groups the ability to run certain commands as root or as another user. Its name is a concatenation of “su” (substitute user) and “do”. Sudo is available for download from http://www.sudo.ws/sudo/download.html, but it is included with most Linux distributions. The program can also log commands and arguments entered by specified system users.

Unlike the su command, users typically supply their own password to sudo rather than the root password. The developers of sudo state the basic philosophy of the program is to give as few privileges as possible but still allow people to get their work done. After authentication, and if the /usr/local/etc/sudoers (or /etc/sudoers) configuration file permits the user access, then the system will invoke the requested command. The sudoers configuration file enables a huge amount of configurability, including, but not limited to: enabling root commands only from the invoking terminal, not requiring a password for certain commands; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple comments, and even supports commands with regular expressions.


Sudo was originally written by Robert Coggeshall and Cliff Spencer “around 1980” at the Department of Computer Science at SUNY/Buffalo. The current license is under active development and is maintained by OpenBSD developer Todd C. Miller distributed under a BSD-style license. Sudo’s website is http://www.sudo.ws/.

sudo Features

Here are some of the features of sudo:

  • Command logging: Commands and argument can be logged. Commands entered can be traced to the user. Ideal for system auditing.
  • Centralized logging of multiple systems: sudo can be used with the system log daemon (syslog) to log all commands to a central host.
  • Command restrictions: Each user or group of users can be limited to what commands they are allowed to enter on the system.
  • Ticketing system: The ticketing system sets a time limit by creating a ticket when a user logs on to sudo. The ticket is valid for a configurable amount of time. The default is five minutes.
  • Centralized administration of multiple systems: The sudo configurations are written to the /etc/sudoers files. The file can be used on multiple systems and allows administration from a central host. The file is designed to allow user privileges on a host-by-host basis.


Because sudo logs all commands run as root, many administrators use it instead of using the root shell. This allows them to log their own commands for troubleshooting and additional security. The ticketing system is also ideal because if the root user walks away from the system while still logged in, another user cannot then access the system simply because they have physical access to the keyboard. After the ticket expires, users must then log on to the system again. A shorter time is recommended, such as the default five minutes. The ticketing system also allows user to remove their ticket file.

To install and run sudo from the source distribution, you must have a system running Unix. Almost all versions of Unix support the sudo source distribution, including almost all flavors of POSIX, BSD, and SYSV. Sudo is known to run on: Auspex, SunOS, Solaris, ISC, RISCos, SCO, HP-UX, Ultrix, IRIX, NEXTSTEP, DEC Unix, AIX, ConvesxOS, BSD/OS, OpenBSD, Linux, UnixWare, Pyramid, ATT, SINIX, ReliantUNIX, NCR, Unicos, DG/UX, Dynix/ptx, DC-Osx, HI-UX/MPP, SVR4, NonStop-UX and MacOSX Server.

External Links:

sudo at Wikipedia

The official sudo homepage

© 2013 David Zientara. All rights reserved. Privacy Policy