wpf at telekurs.com
Wed Jan 24 02:44:47 EST 2001
> Our company is running sudo to comtrol what our users do.
Sudo is a good tool for that. Allowing selective access to privileged commands
is what sudo does really well. It's not fool-proof, but it's better than using
shared accounts, for example. It also keeps logs, which can be useful when
reconstructing past events.
> Now we would like to monitor what our aix administrators do. We don't what to
> hinder the administrators but we want to audit them once in awhile.
Sudo is entirely the wrong tool for that. You may not have investigated too
closely how it works, so let me mention a few points:
o Sudo is about access control, not auditing. Modern UNIX-like
operating systems usually come with some kind of auditing facility
built-in, which are much harder to circumvent than sudo's syslogs.
o Sudo only logs its command lines. It will NOT log commands entered
in shells started via sudo, or in scripts started via sudo. Even
restricting access to a few commands does not help. Read the
documentation that comes with sudo. I recall a passage about
o Sudo will not prevent determined users from circumventing the logging
of their activities. But you wish to audit your sysadmins. Assuming
you communicated this to your sysadmins really well, and they ...
consent ... there is still no way you can be sure of your logs
reporting anything useful. Remember: the root account has the power to
read and write any file - including config files and logs. Modifying
syslogs - even if directed to a centralized machine - would be almost
trivial. This is a battle you can't win; it may be a playful battle,
if you haven't angered your sysadmins; nevertheless, you will not win
it. Cooperation and policy will help you much more.
So if you are serious about auditing sysadmins, use the auditing facility built
into AIX. It was designed for that purpose. Sudo wasn't.
More information about the sudo-users