[sudo-users] sudoreplay "best practice" questions
me at deixa.me
Mon Nov 23 10:07:26 MST 2015
That's good advice. Unfortunately, I work in an environment where people don't believe in passwords. We have none. Everything's done with ssh keys and no user on any of the systems has a password, so I have the default !authenticate set. Of course, sudoers is restricted so most people cannot run any commands...but still, it's not ideal.
On 11/23, Shawn McMahon wrote:
> On Mon, Nov 23, 2015 at 9:54 AM, Deixa Me <me at deixa.me> wrote:
> > Hi, I currently have sudoreplay recording all sudo sessions on all
> > servers, with some exclusions set for particular commands. The problem I
> > have is that if someone writes a frequent cron or nrpe check that
> > repeatedly calls sudo, I end up with very large amounts of log files for
> > sudoreplay (enough that it exhausted the inodes on one server this
> > weekend). Until now I've been adding exclusions for these sort of automated
> > commands, but I'm thinking a better way would be to only log interactive
> > sessions. Is there a way to only log io when a command is executing a
> > subshell? If not, how do others on this list deal with this problem? I'd
> > prefer to have io logging on by default and whitelist the commands that
> > don't need it, rather than vice versa.
> Restrict your NOPASSWD stuff to only those things that NEED to not have a
> password. Turn on IO logging after that. Order matters in the config.
> Too many "NOPASSWD" entries eliminate one of the key security features of
> sudo. If evil code can silently escalate privilege without the user even
> knowing, sudo gained you nothing but logging. Which isn't nothing, but it's
> not great either.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users