sudo-users digest, Vol 1 #253 - 1 msg

Alek O. Komarnitsky (N-CSC) alek at ast.lmco.com
Wed Oct 31 15:36:06 EST 2001 

Why bother using sudo if you are going to do "sudo tcsh"
sudo logged the command ... after that, you are on your own!

You can restrict this from occurring if you specify
a list of commands, but for sysadmins, you probably 
have to do an "ALL" ... and it's not practical to 
try to close all the "root shell" holes that exist.

So some simple education is probably in order;
I've found three different types of admins on this issue:
   1. The "really good" ones who would NEVER do an "sudo tcsh"
      or other type of monkey business because we WANT what we
      do to be logged (typo's and all). 

   2. The "newbie" Sysadmins - if one of the above admins tells
      them never to do "sudo tcsh" (or sudo su -), then that's
      good enough for them. Start these folks with good habits!   ;-)

   3. The "I've been around a while and I know this stuff, so I'll
      just do what I damn well please" Sysadmins ... for these people,
      I'd take away the root password and restrict them to a command set
      until they get with the program. Yep, that's MUCH easier said than done!
      Note that these people probably don't like sudo in the first place;
      "I've also done a `su -` so what's wrong with that?!?"

BTW, I would also STRONGLY discourage group accounts (sysadmin in
the example below?) from having unrestricted sudo access, this
somewhat defeats the purpose of personal accountability.

alek



> From: bruno.gallant at ps.ge.com
> Subject: RE: sudo-users digest, Vol 1 #253 - 1 msg
> To: sudo-users at courtesan.com
> 
> 
> I tried that, but same thing, when logging in, it gives a line like:
> 
> Oct 31 15:16:12 : sysadmin : TTY=ttyq0 ; PWD=/root ; USER=root ;
> COMMAND=/bin/tcsh
> 
> but no further commands, even if I vi files, cd everywhere, etc.
> 
> thanks for your help!
> 
> -----Original Message-----
> From: Dana Kaempen [mailto:decay at flash.net]
> Sent: 31 octobre, 2001 14:31
> To: sudo-users at courtesan.com
> Subject: Re: sudo-users digest, Vol 1 #253 - 1 msg
> 
> 
> Bruno asked:
> > I just installed sudo, and trying it out.  When a user logs with it, an
> > entry log is sent to the syslog file of the configured syslog host, but no
> > commands entered by the user is sent.
> You need a line like the following in /etc/sudoers to log user commands:
> Defaults       logfile=/var/adm/sudo.log
> 
> Also, you *may* need to create the file by typing this to create a blank
> file:
> >/var/adm/sudo.log
> 
> Works like a charm
> -- 
> ..d..ecay
> 
> mailto:decay at flash.net

More information about the sudo-users mailing list