[sudo-users] Logging a Mandatory Comment with Each Use of sudo

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Thu Sep 14 06:23:14 EDT 2006

Hi Chip,

You could consider using "rootsh" in combination with sudo. It should
not only work with the user root, but with other accounts as well.
What it does is basically the following:
- via sudo, you authorize people to start a shell that runs under
another user
- subsequently, all keystrokes are logged.

Originally, rootsh would log both input and output. But you should be
able to compile it in such a way that only input is logged.

Check it out on sourceforge.

There is an alternative, which was called "sudosh", but which now has
another name, EAS, meaning simething like "Enterprise Auditing Shell".

Met vriendelijke groeten / With kind regards ,

Huibert Kivits
"...all too often, when organizations develop information security
programs, they treat security issues as a simple 'check-box' on the list
of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001,
ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] Namens handrews at worldbank.org
Verzonden: woensdag 13 september 2006 22:41
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] Logging a Mandatory Comment with Each Use of

My department is tightening up its auditing of the use of privileged
accounts accessed via sudo.  Management is concerned that application
administrators can so casually sudo into the administrative accounts
without having to log some kind of explanation of what they're up to.

Apologies in advance if this question has already been raised, but does
sudo have the capability to require an interactive user to enter some
kind of message upon successful authentication?  This message, maybe
just a line of text (supplied as a command line argument or on the
standard input), would be written to sudo's logs along with all of the
other, usual logging information.

Or would enhanced logging functionality belong not in sudo itself but in
some other piece invoked by sudo?

Again, sorry if this subject is old hat.


Chip ____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list