Some concerns while using Sudo

Alek O. Komarnitsky (N-CSC) alek at ast.lmco.com
Fri Jun 9 08:36:28 EDT 2000 

> From: Sukant Naik <Sukant_N1 at verifone.com>
> Subject: Some concerns while using Sudo
> To: "'sudo-workers at courtesan.com'" <sudo-workers at courtesan.com>
> 
> Hi All,
> 
> I am a Unix System Administrator and a newbie to Sudo. I am evaluating Sudo
> utility. I have downloaded,  compiled and installed Sudo version 1.6.3p4 on
> HP-UX 11.00 server. It is working fine. This is a real great utility and I would
> like to implement it on all my servers in my company
> 
> I have configured the sudo log file as /var/adm/syslog/sudo.log in the
> /etc/syslog.conf file.  
> 
> I logged in as ordinary user and was able to use vi in sudo and then delete the
> entire entries in the sudo.log file and make the size as 0 bytes for this file.
> Is it possible to stop this ?
> 
> My concerns are :
> 
> 1.	How can I stop anybody from deleting my sudo.log file ?
> 2.	Also what are the different ways in which the syslog file can be
> tampered like 
> 	$ sudo /usr/bin/cat /dev/null > /var/adm/syslog/sudo.log
> $ sudo /usr/bin/cp /dev/null /var/adm/syslog/sudo.log
> 
> Some snapshot from my server. 
> # cd /var/adm/syslog
> # ll
> total 3182
> -rw-r--r--   1 root       root         99648 May 19 12:45 OLDsyslog.log
> -r--r--r--   1 root       root         27016 May 17 18:38 mail.log
> -r--------   1 root       sys              0 Jun  8 19:55 sudo.log
> -rw-r--r--   1 root       root       1313103 Jun  9 10:12 syslog.log
> 
> 
> Also, I know that I can stop this from happening provided I don't allow the end
> users to run vi or touch or cat command from sudo by configuring it in the
> sudoers file. But I would be more interested to know if there are any more ways
> of tampering the log files, so that I can stop this from happening. Please
> suggest me some methods about how to go about making a secure Sudo installation.
> 
> Regards,
> Sukant Naik
> Verifone India Limited
> Tel : +91-80-529 8151/2/3/4 Extension 2028
> Fax : +91-80-529 9876
> Email : Sukant_N1 at verifone.com <mailto:Sukant_N1 at verifone.com> 


This is why you configure syslogd to not only log stuff locally,
but to also send a copy of the syslogs to a remote "loghost" that
is "secure" - this is generically a "good" idea since if the
original machine is compromised in some way, there may be some
evidence of what happened. As an additional point, it often 
helps to have consolidated logs to track stuff network-wide;
in fact, we have 1,000+ machines log stuff centrally - some examples
of this are in my presentations on sudo and also swatch at:
   http://www.komar.org/komar/alek/  ->  Misc. Tech Stuff 

BTW, you should NOT be giving sudo=ALL (or access to commands like
vi that have shell escapes) to people who aren't "trusted" ...
would you also give those people the root password!   ;-)

alek

More information about the sudo-workers mailing list