[sudo-users] sudoreplay does not honour iolog_dir
Albert Chin
sudo-users at mlists.thewrittenword.com
Wed May 26 03:07:28 MDT 2021
Is sudoreplay suppose to honour iolog_dir in the config file?
On a RHEL 7 system:
# cat /opt/TWWfsw/sudo19/etc/sudoers.d/test
Defaults !log_input, !log_output, log_year, ignore_iolog_errors
Defaults iolog_dir=/var/log/sudo-io2, maxseq=2176782336
ALL ALL = LOG_OUTPUT:NOPASSWD:/bin/ls
ALL ALL = LOG_OUTPUT:NOPASSWD:/opt/TWWfsw/sudo19/bin/sudoreplay
# find /var/log/sudo-io2
find: ‘/var/log/sudo-io2’: No such file or directory
$ /opt/TWWfsw/sudo19/bin/sudo /bin/ls
...
# find /var/log/sudo-io2
/var/log/sudo-io2
/var/log/sudo-io2/seq
/var/log/sudo-io2/00
/var/log/sudo-io2/00/00
/var/log/sudo-io2/00/00/01
/var/log/sudo-io2/00/00/01/timing
/var/log/sudo-io2/00/00/01/ttyout
/var/log/sudo-io2/00/00/01/stdout
/var/log/sudo-io2/00/00/01/log
/var/log/sudo-io2/00/00/01/stderr
/var/log/sudo-io2/00/00/01/log.json
# /opt/TWWfsw/sudo19/bin/sudoreplay -l
sudoreplay: unable to open /var/log/sudo-io: No such file or directory
/var/log/sudo-io is the default log directory on RHEL. Looks like sudo
honours iolog_dir but sudoreplay does not. From sudoreplay(8):
The ID should either be a six character sequence of digits
and upper case letters, e.g., 0100A5, a pattern matching the
iolog_file option in the sudoers file, or a path name. Path
names may be relative to the iolog_dir option in the sudoers
file (unless overridden by the -d option) or fully
qualified, beginning with a ‘/’ character. When a command
is run via sudo with log_output enabled in the sudoers file,
a TSID=ID string is logged via syslog or to the sudo log
file. The ID may also be determined using sudoreplay's list
mode.
"Path names may be relative to the iolog_dir option in the sudoers
file" implies iolog_dir should be honoured.
--
albert chin (china at thewrittenword.com)
More information about the sudo-users
mailing list