[sudo-users] Logging a Mandatory Comment with Each Use of sudo

donald.ritchey at exeloncorp.com donald.ritchey at exeloncorp.com
Wed Sep 13 17:26:31 EDT 2006

Add the following shell application to the same location as sudo and
make it read/execute only and owned by root.

exit 0;

Name the command "sudonote" and add an entry for it in a Cmd_Alias in
your sudoers file.

Add the "sudonote" Cmd_Alias to each of the user rules in your sudoers

Instruct the users to run the command 'sudonote' with an explanation of
the reason for the command as the arguments of the command.  This should
have no effect on the system (the /bin/false shell ensures that the
command can do nothing) and it will get logged with the command being
run.  You can extract this from the sudo log file with the appropriate

You may need to ensure that the user cannot affect files on the system
by using redirection in the arguments (test this by doing "sudo sudonote
this is a test >/foobar", assuming that only root can write to the root
directory /).  If the file foobar exits, then you need to try another
means to logging.

Hopefully this will get your started on a solution.

Best wishes,

Don Ritchey
Information Technology, Exelon Corporation

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
handrews at worldbank.org
Sent: Wednesday, September 13, 2006 3:41 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] Logging a Mandatory Comment with Each Use of sudo

My department is tightening up its auditing of the use of privileged
accessed via sudo.  Management is concerned that application
administrators can
so casually sudo into the administrative accounts without having to log
kind of explanation of what they're up to.

Apologies in advance if this question has already been raised, but does
have the capability to require an interactive user to enter some kind of
upon successful authentication?  This message, maybe just a line of text
(supplied as a command line argument or on the standard input), would be
to sudo's logs along with all of the other, usual logging information.

Or would enhanced logging functionality belong not in sudo itself but in
other piece invoked by sudo?

Again, sorry if this subject is old hat.


sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

This e-mail and any of its attachments may contain Exelon
Corporation proprietary information, which is privileged,
confidential, or subject to copyright belonging to the Exelon
Corporation family of Companies.
This e-mail is intended solely for the use of the individual or
entity to which it is addressed.  If you are not the intended
recipient of this e-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken in relation
to the contents of and attachments to this e-mail is strictly
prohibited and may be unlawful.  If you have received this e-mail
in error, please notify the sender immediately and permanently
delete the original and any copy of this e-mail and any printout.
Thank You.

More information about the sudo-users mailing list