Log files

[Florian Weps]

> Our company is running sudo to comtrol what our users do.

Sudo is a good tool for that. Allowing selective access to privileged commands
is what sudo does really well. It's not fool-proof, but it's better than using
shared accounts, for example. It also keeps logs, which can be useful when
reconstructing past events.

> Now we would like to monitor what our aix administrators do. We don't what to
> hinder the administrators but we want to audit them once in awhile.

Sudo is entirely the wrong tool for that. You may not have investigated too
closely how it works, so let me mention a few points:

	o Sudo is about access control, not auditing. Modern UNIX-like
	  operating systems usually come with some kind of auditing facility
	  built-in, which are much harder to circumvent than sudo's syslogs.

	o Sudo only logs its command lines. It will NOT log commands entered
	  in shells started via sudo, or in scripts started via sudo. Even
	  restricting access to a few commands does not help. Read the
	  documentation that comes with sudo. I recall a passage about
	  policy.

	o Sudo will not prevent determined users from circumventing the logging
	  of their activities. But you wish to audit your sysadmins. Assuming
	  you communicated this to your sysadmins really well, and they ...
	  consent ... there is still no way you can be sure of your logs
	  reporting anything useful. Remember: the root account has the power to
	  read and write any file - including config files and logs. Modifying
	  syslogs - even if directed to a centralized machine - would be almost
	  trivial. This is a battle you can't win; it may be a playful battle,
	  if you haven't angered your sysadmins; nevertheless, you will not win
	  it. Cooperation and policy will help you much more.

So if you are serious about auditing sysadmins, use the auditing facility built
into AIX. It was designed for that purpose. Sudo wasn't.

Kind regards

Florian Weps