Monday, July 25, 2016

sudosh configuration

sudosh configuration


  
Sudosh is designed specifically to be used in conjunction with sudo or by itself as a login shell. Sudosh allows the execution of a root or user shell with logging. Every command the user types within the root shell is logged as well as the output.

This is different from "sudo -s" or "sudo /bin/sh", because when you use one of these instead of sudosh to start a new shell, then this new shell does not log commands typed in the new shell to syslog; only the fact that a new shell started is logged.

If this newly started shell supports commandline history, then you can still find the commands called in the shell in a file such as .sh_history, but if you use a shell such as csh that does not support command-line logging you are out of luck.

Sudosh fills this gap. No matter what shell you use, all of the command lines are logged to syslog (including vi keystrokes). In fact, sudosh uses the script command to log all key strokes and output.

Setting up sudosh is fairly easy. For a Linux system, first download the RPM of sudosh, for example from http://sourceforge.net/projects/sudosh/. Then install it on your Linux server:

install the sudosh rpm:- 

[root@localhost ~]# rpm -ivh sudosh-1.8.2-2.el5.rf.i386.rpm 


Then, go to the /etc file system and open up /etc/sudosh.conf. Here you can adjust the default shell that is started, and the location of the log files. Default, the log directory is /var/log/sudosh. Make sure this directory exists on your server, or change it to another existing directory in the sudosh.conf file.

 This command will set the correct authorizations on the log directory: 
 [root@localhost ~]# sudosh -i
                                   [info]: chmod 0733 directory /var/log/sudosh

Then, if you want to assign a user sudosh access, edit the /etc/sudoers file by running visudo, and add the following line:

[root@localhost ~]#vim /etc/sudoers
                                username ALL=PASSWD:/usr/bin/sudosh

Now, the user can login, and run the following command to gain root access: 

[root@localhost ~]# sudo sudosh
                                Password:


[root@localhost ~]# whoami
                                root

Now, as a sys admin, you can view the log files created in /var/log/sudosh, but it is much cooler to use the sudosh-replay command to replay (like a VCR) the actual session, as run by the user with the sudosh access.

First, run sudosh-replay without any paramaters, to get a list of sessions that took place using sudosh:

 [root@localhost ~]# sudosh-replay
                                
[root@localhost ~]# sudosh-replay
Date Duration From To ID
==== ======== ==== == ==
10/05/2012 18:48:17 31s root root root-root-1349443097-EKVhJTwVT78bHAk2
10/05/2012 18:50:17 6s shekhar root hungamasdp-root-1349443217-d7SrYA0E6vY9NVNA
Usage: sudosh-replay ID [MULTIPLIER] [MAXWAIT]
See 'sudosh-replay -h' for more help.
Example: sudosh-replay shekhar-root-1349443217-d7SrYA0E6vY9NVNA 1 2

Now, you can actually replay the session, by (for example) running:
 [root@localhost ~]#  sudosh-replay root-root-1284653707-GCw26NSq 1 5

Note:- this will show you the recording of the command the user has run. 

No comments:

Post a Comment