[sudo-users] sudoreplay "best practice" questions

Shawn McMahon syberghost at gmail.com
Mon Nov 23 09:57:39 MST 2015

On Mon, Nov 23, 2015 at 9:54 AM, Deixa Me <me at deixa.me> wrote:

> Hi, I currently have sudoreplay recording all sudo sessions on all
> servers, with some exclusions set for particular commands. The problem I
> have is that if someone writes a frequent cron or nrpe check that
> repeatedly calls sudo, I end up with very large amounts of log files for
> sudoreplay (enough that it exhausted the inodes on one server this
> weekend). Until now I've been adding exclusions for these sort of automated
> commands, but I'm thinking a better way would be to only log interactive
> sessions. Is there a way to only log io when a command is executing a
> subshell? If not, how do others on this list deal with this problem? I'd
> prefer to have io logging on by default and whitelist the commands that
> don't need it, rather than vice versa.

Restrict your NOPASSWD stuff to only those things that NEED to not have a
password. Turn on IO logging after that. Order matters in the config.

Too many "NOPASSWD" entries eliminate one of the key security features of
sudo. If evil code can silently escalate privilege without the user even
knowing, sudo gained you nothing but logging. Which isn't nothing, but it's
not great either.

More information about the sudo-users mailing list