SUDOSH CONFIGURATION
Question:- shashikant shah
I
am managing a team of Linux
System
Administrators, which manages a large number of servers remotely.
This admins require root level privileges on servers. Now how can I
keep track of each user activity for audit purpose and to keep record
of each command is executed on server. Recommend open source
application on Linux.
What
is Sudosh?
sudosh is a shell wrapper that
logs all keystrokes of a terminal with output and save it into a file
whcih is randmoly generated for each user. rootsh also supports
logging into syslog but it is bad idea because syslog file can easily
be removed by a root user.
We will create a separate folder for logs where we
will apply group level privileges & apply append
attribute to restrict the group members to
write/read only to this folder so our files would be secured.
Install some package :-
1.yum install gcc*
2.yum install perl*
3.yum install pam-devel*
4.rpm -qa | egrep -i 'gcc|make|pam-devel'
MAKEDEV-3.23-1.2
gcc44-gfortran-4.4.0-6.el5
make-3.81-3.el5
gcc-gfortran-4.1.2-46.el5
gcc-4.1.2-46.el5
gcc-c++-4.1.2-46.el5
gcc-java-4.1.2-46.el5
libgcc-4.1.2-46.el5
compat-libgcc-296-2.96-138
gcc-objc-4.1.2-46.el5
gcc-gnat-4.1.2-46.el5
pam-devel-0.99.6.2-6.el5
gcc-objc++-4.1.2-46.el5
gcc44-4.4.0-6.el5
gcc44-c++-4.4.0-6.el
5.Install
sudosh shell :-
install
sudosh-1.8.2.tar.gz
/usr/local/bin/sudosh {this
location save shell}
OR
install
sudosh-1.8.2-2.el5.rf.i386.rpm
/usr/bin/sudosh {this
location save shell}
6.useradd
-s /usr/local/bin/sudosh shashi{username}
OR
#
vim /etc/default/useradd
SHELL=/usr/bin/sudosh
#
useradd shashi
# passwd shashi
7.Check
user shell :-
#
grep shashi /etc/passwd
shashi:x:500:500::/home/shashi:/usr/local/bin/sudosh
8.add
the shell path :-
#
vim /etc/shells
/usr/bin/sudosh
/usr/local/bin/sudosh
9.Create
a log directory :-
#
sudosh -i
#
mkdir /var/log/sudosh
#
chmod 0733 /var/log/sudosh
# chattr +a
/var/log/sudosh
11.Edit
some line in sudoers configure file :-
User_Alias
ADMINS = shashi, jk
#SUDOSH shell
Cmnd_Alias
SUDOSH = /usr/local/bin/sudosh
admins ALL=SUDOSH
12.Run
a command :-
# sudo sudosh
13.Check
sudosh shell :-
#
sudosh-replay