sudo/sudoers

Peasant · August 3, 2011, 6:48am

Dear folks.

Considering PCIDSS standards, i have requirment to use sudo(ers) to log everything a certain user executes with root privileges.

Now, for an admin it's just a pain in the ass to prefix every command with sudo.

Only way i can think of is making .aliases and with some awk magic making every executable like :

alias ls="sudo ls"

Is there any better way perhaps ?

Thanks and regards.

yazu · August 3, 2011, 6:54am

???

sudo bash
sudo su

Peasant · August 3, 2011, 7:14am

That's not logged then, if you invoke shell

It will log only shell invocation and nothing after e.g

Aug  3 13:08:09 hostname sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; TSID=00000G ; COMMAND=/sbin/sh

If you use

sudo ls -lrt

You get.

Aug  3 13:05:47 hostname sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; TSID=00000E ; COMMAND=/usr/bin/ls -lrt

Regards.

yazu · August 3, 2011, 7:47am

Well... Just an idea.
In bash you can unset $PATH in your .bashrc and set a special bash function "command_not_found_handle" with setting local variable PATH and then invoking the command: sudo "$@" .

Peasant · August 4, 2011, 7:24am

Well, i did try but to no avail.
I found and example function to avoid sudo completly and log root commands, but it runs in infinite loop using posix shell (/sbin/sh) and trap <function> DEBUG
I'm unable to determine why is it working in everything besides posix shell :wall:

This is the code (this works in ksh and bash, but i'm not changing default root shell, since if /usr is not avalible machine won't boot.)
This is .profile

function cmd2sys
{
        CMD=$(fc -ln -0)
        USER=$(whoami)
        logger -p local1.notice -i : COMMAND = $CMD" ; "USER = $USER" ; "PWD=$PWD
}
trap cmd2sys DEBUG

Can you be more specific, how would you prefix every command with sudo in bash shell using command_not_found_handle ?

Thanks alot.
Regards
Peasant.

yazu · August 4, 2011, 8:58am

It was just an idea. But it seems it works. The only quirk is that PATH should be set to something. So this works for me:

$ PATH=1
$ function command_not_found_handle () { PATH=/bin:/usr/bin: sudo "$@"; }
$ touch /etc/abcd
$ rm /etc/abcd
$ tail -n3 /var/log/auth.log
Aug  4 19:54:49 uf3 sudo:     jazu : TTY=pts/0 ; PWD=/home/jazu/tmp ; USER=root ; COMMAND=/usr/bin/touch /etc/abcd
Aug  4 19:54:54 uf3 sudo:     jazu : TTY=pts/0 ; PWD=/home/jazu/tmp ; USER=root ; COMMAND=/bin/rm /etc/abcd
Aug  4 19:55:13 uf3 sudo:     jazu : TTY=pts/0 ; PWD=/home/jazu/tmp ; USER=root ; COMMAND=/usr/bin/tail -n3 /var/log/auth.log

Peasant · August 4, 2011, 11:00am

Thanks mate, i really appreciate it.

Didn't know that PATH trick, seems real nice, didn't know it can be used in such manner.

Regards
Peasant.