0

I would always like to use the sudo command when operating as our "serveruser" so that all my actions are recorded in the sudo log and I can reverse engineer it later. I however do not want to type sudo -u serveruser everytime and would prefer not to create an alias. Is there a program or something where I can execute a shell such that every command I run is actually prefixing it with sudo -u serveruser instead so it feels like I am the user himself.

If so, I can set it up for all admins and they would not even really notice a difference and we get history logging for free with sudo logging.

EDIT: What I am looking for is these things

  1. very simple setup (our sudo is already setup except this sudo like shell that would be nice)
  2. logs timestamp
  3. logs user executing command (ie. possibly me, dean in this case)
  4. logs the user they executed the command as (ie. serveruser in this case)
  5. logs the actual command

sudo does 2-5 out of the box but I am trying to figure out #1 for users as we(people on this team) do not want to be typing sudo all the time :(.

EDIT: Maybe there is a way to suck in stdin and stdout in bash to write a script so one could call sudoshell -u username and any commands I type in on stdin except "exit" are then run with sudo -u username. Is there a way to have a script like this instead that all our admins can run? and then when someone runs sudo su - I can log a message to run that shell instead as follows....that would work very well. Any idea how to do that?

thanks, Dean

Dean Hiller
  • 951

2 Answers2

3

What you are looking for is an audit trail. Sudo would provide it (with limitations), but there are other ways to accomplish it.

If you just need recorded what has been typed into the shell and do not feel like installing additional software packages, bash 4 can be configured for logging the history through syslog.

You also could choose from the available lot of audit packages. A quick & simple solution could be the Snoopy logger.

the-wabbit
  • 41,352
2

I would always like to use the sudo command when operating as our "serveruser" so that all my actions are recorded in the sudo log and I can reverse engineer it later.

It sounds like you want to log all sudo commands, so that you can audit it later.

You should take a look at sudosh2. Here is the description:

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR.

For example: User joe logs into the system, and types sudo sudosh and is granted superuser privileges. After this point, all input & output is logged. Logs go to a file, or are sent via syslog to your central syslog server (where they cannot be erased). You can replay the logs and see exactly what people typed (You can even see typos, backspaces, etc.) and the output.

It may not fit the need for all of your requirements, but it sounds like you are open to similar options.

For more detail, please see my other answer to Log every command executed from root.

Community
  • 1
Stefan Lasiewski
  • 24,361
  • 42
  • 136
  • 188