[sudo-users] Logging all commands after a user has sudo'ed to another userid

Maguire, Jean (GE, Corporate) Jean.Maguire at ge.com
Thu Oct 9 08:05:49 EDT 2008

Thanks Russell.

You're right it comes down to "cultural change" which as you know is
hard.  I appreciate the feedback.

Thanks again.


Jean Maguire
Senior Server Engineer  
GE Asset Management
3001 Summer Street
Stamford, CT  06904
Phone:  203-326-2408
jean.maguire at ge.com

-----Original Message-----
From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com] 
Sent: Wednesday, October 08, 2008 2:08 PM
To: Maguire, Jean (GE, Corporate)
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Logging all commands after a user has sudo'ed
to another userid

On Wed, Oct 08, 2008 at 11:56:33AM -0400, Maguire, Jean (GE, Corporate)
> Just say I create a special group that allows my users to do a #sudo 
> su
> - oracle.  Is there a way for me to log all commands executed while 
> they were sudo'ed to oracle id?

Simple answer: No
Slightly longer answer: Maybe
Longer answer: Why?

There are other tools/utilities out there to do this, such as OSH (a
restricted "operator's" shell).  Sudo isn't a shell utility, but a
simple and secure way to give folks elevated privileges for a list of
very specific commands across a wide distribution, all while maintaining
an audit trail log integrity of what was done (ideally while NOT
potentially leaving a root shell open).

Yes, it can be abused by simply allowing "sudo su" -- but really, that's
one of the things (IMO) you should strive to shut off and, instead, try
to force more of a cultural change within the organization of using sudo
in front of *every* command where the elevated privilege is needed...
for something like oracle, why not something such as:

% sudo -u oracle sqlplus

(obviously this list is a lot longer)

As was just said here only a day or so ago... rather than granting
broad, all-encompassing privileges you should work to identify
individual tools and commands where elevated privilege is necessary, and
grant THOSE instead.  Really, allowing by allowing things like "su,"
it's really not much better than just distributing the password (since
there's nothing really to prevent folks from something like "sudo su -
user; passwd" or any of a number of other things).

Russell M. Van Tassell
russell at loosenut.com

"Never sweat the petty things... and never pet the sweaty things"

More information about the sudo-users mailing list