[sudo-users] sudoreplay "best practice" questions
me at deixa.me
Mon Nov 23 07:54:42 MST 2015
Hi, I currently have sudoreplay recording all sudo sessions on all servers, with some exclusions set for particular commands. The problem I have is that if someone writes a frequent cron or nrpe check that repeatedly calls sudo, I end up with very large amounts of log files for sudoreplay (enough that it exhausted the inodes on one server this weekend). Until now I've been adding exclusions for these sort of automated commands, but I'm thinking a better way would be to only log interactive sessions. Is there a way to only log io when a command is executing a subshell? If not, how do others on this list deal with this problem? I'd prefer to have io logging on by default and whitelist the commands that don't need it, rather than vice versa.
More information about the sudo-users