sudo or su logging

Ikon · July 14, 2008, 1:22pm

Jul 14 08:02:40 servera sshd[18240]: Accepted keyboard-interactive/pam for someuser from x.x.x.x port 1406 ssh2
Jul 14 08:02:48 servera su: - 1 someuser-root
Jul 14 08:03:03 servera sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/usr/bin/su -
Jul 14 08:03:03 servera su: + 1 someuser-root

Line 1 - SSH to the server
Line 2 - invalid password "sudo su -"
Line 3,4 - Successful "sudo su -"

I would like to beable to link a failed "sudo su -" to the ssh login, but there is no data other than username.

If a user is logged in multiple times or from multiple locations there is no way to differenciate the logins.

We currently have a report emailed to us letting us know this data to determine if someusers are trying to run commands they are not supposed to, but management wants more info, like hostname and/or IP address of the user at the time the command was run.

Anyone have any ideas how to add log details for sudo or su?

sudolog only shows:
SU 07/14 08:17 + 0 someuser-root
SU 07/14 08:53 + 1 someuser-root
syslog.log only show:
Jul 14 08:02:40 servera sshd[18240]: Accepted keyboard-interactive/pam for someuser from x.x.x.x port 1406 ssh2
Jul 14 08:02:48 servera su: - 1 someuser-root
Jul 14 08:03:03 servera sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/usr/bin/su -
Jul 14 08:03:03 servera su: + 1 someuser-root

Thanks,
Kyle

vbe · July 15, 2008, 12:07pm

I to solve a similar request have added in /etc/profile:
LOG='who am i -R'
ME=$LOGNAME
(date;echo $ME;$LOG)|xargs >>/var/adm/logged_in

Then its just a question of looking at last, lastb syslog.log sudo.log sulog etc.. and logged_in to try to guess who is who at a given time

Ikon · July 15, 2008, 1:03pm

I had considered that, but I have a problem with the "guess who is who at a given time". If one person is logged in frmo multiple locations you would never know who is who. In linux there is a log_host parameter to activate but not in HP-UX, that I have yet found.

I had considered renaming the sudo command and creating a script called sudo that the users would run that would write logs and the script would actually call the sudo command. But the problem is if the script would not complete until the sudo command was completed, so if the user ran 'sudo su -' and didnt logoff the final log entry wouldnt be written until they logged off, which there are some that stay logged in for days.

vbe · July 15, 2008, 1:16pm

And in the more delicate users profile (dedicated users for production etc... and root...)
# Set up the shell variables:
EDITOR=vi
export EDITOR

    SUFF=\`who am i -R| awk -F " " '\{print $1"."$NF\}'\`
    HISTFILE=$HOME/.sh_history.$SUFF
    print -s "LOGIN - \`date '\+%m-%d-%E-%H:%M'\`"
    HISTSIZE=4098
    export HISTFILE HISTSIZE
    export ENV=$HOME/.kshrc

But this gives you more work (looking at all these new files and being sure you have enough space...)