[sudo-users] sudoreplay "best practice" questions

Leroy Tennison leroy at datavoiceint.com
Tue Nov 24 07:41:27 MST 2015


Another alternative is MaxSeq which in effect turns the logging into a circular buffer.  An implication is that you have to examine the logs regularly to capture significant events.  If MaxSeq isn't listed in the man page then you need a newer version of sudo.

----- Original Message -----
From: "Deixa Me" <me at deixa.me>
To: "Shawn McMahon" <syberghost at gmail.com>
Cc: sudo-users at sudo.ws
Sent: Monday, November 23, 2015 11:07:26 AM
Subject: Re: [sudo-users] sudoreplay "best practice" questions

That's good advice. Unfortunately, I work in an environment where people don't believe in passwords. We have none. Everything's done with ssh keys and no user on any of the systems has a password, so I have the default !authenticate set. Of course, sudoers is restricted so most people cannot run any commands...but still, it's not ideal.

On 11/23, Shawn McMahon wrote:
> On Mon, Nov 23, 2015 at 9:54 AM, Deixa Me <me at deixa.me> wrote:
> 
> > Hi, I currently have sudoreplay recording all sudo sessions on all
> > servers, with some exclusions set for particular commands. The problem I
> > have is that if someone writes a frequent cron or nrpe check that
> > repeatedly calls sudo, I end up with very large amounts of log files for
> > sudoreplay (enough that it exhausted the inodes on one server this
> > weekend). Until now I've been adding exclusions for these sort of automated
> > commands, but I'm thinking a better way would be to only log interactive
> > sessions. Is there a way to only log io when a command is executing a
> > subshell? If not, how do others on this list deal with this problem? I'd
> > prefer to have io logging on by default and whitelist the commands that
> > don't need it, rather than vice versa.
> >
> 
> Restrict your NOPASSWD stuff to only those things that NEED to not have a
> password. Turn on IO logging after that. Order matters in the config.
> 
> Too many "NOPASSWD" entries eliminate one of the key security features of
> sudo. If evil code can silently escalate privilege without the user even
> knowing, sudo gained you nothing but logging. Which isn't nothing, but it's
> not great either.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users

Confidentiality Notice | This email and any included attachments may be privileged, confidential and/or otherwise protected from disclosure.  Access to this email by anyone other than the intended recipient is unauthorized.  If you believe you have received this email in error, please contact the sender immediately and delete all copies.  If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


More information about the sudo-users mailing list