AIX Open Source

Hello everyone,

I have done a fair bit of research and everything I am running onto says to place log_output and log_input into the sudoers file to capture what is run after a users sudo's to another user.  It is creating the /var/log/sudo-io directory structure and sudoreplay gives just generic log information as I am used to seeing, only showing the "sudo su -" command.  Is there a feature in sudo that will allow auditing of what a user does after they "sudo su -"?  If so could you provide any guidance on the subject, maybe I am just missing a key step.

Thanks,
Justin

------------------------------
Justin Reddell
------------------------------

Hi Justin

I read the following on the sudo user mailing list:
https://www.sudo.ws/mailman/listinfo/sudo-users

Thread: https://www.sudo.ws/pipermail/sudo-users/2012-February/004922.html

> I am testing out the logging features of version 1.8.3 and so far
> the only question I have is when a user does a sudo su - how come
> all the commands are not still logged. I see the sudo su part in
> the logs but thats it. We regularly have to sudo from our personal
> account in to another users account and due to that we need to first
> sudo su - to get in to root.


Once you run a shell sudo cannot log the individual commands you
run.  If you have log_output enabled you can see the output of the
session, including the commands run, but the individual commands
are not logged separately.  You can, however, use sudo to run
commands as another user directly.  E.g. sudo -u other_user command.

------------------------------
Jan Harris
------------------------------

Original Message:
Sent: Thu August 19, 2021 10:18 AM
From: Justin Reddell
Subject: Sudo Logging after sudo to a user

Hello everyone,

I have done a fair bit of research and everything I am running onto says to place log_output and log_input into the sudoers file to capture what is run after a users sudo's to another user.  It is creating the /var/log/sudo-io directory structure and sudoreplay gives just generic log information as I am used to seeing, only showing the "sudo su -" command.  Is there a feature in sudo that will allow auditing of what a user does after they "sudo su -"?  If so could you provide any guidance on the subject, maybe I am just missing a key step.

Thanks,
Justin

------------------------------
Justin Reddell
------------------------------

You will only see commands logged when you type "sudo <cmd>". As when you do "sudo su -", it creates a new shell and all the other commands won't be in the sudo log.  You might be able to find the commands in root's history.

------------------------------
Vincenzo Giambalvo
------------------------------

Original Message:
Sent: Thu August 19, 2021 10:18 AM
From: Justin Reddell
Subject: Sudo Logging after sudo to a user

Hello everyone,

I have done a fair bit of research and everything I am running onto says to place log_output and log_input into the sudoers file to capture what is run after a users sudo's to another user.  It is creating the /var/log/sudo-io directory structure and sudoreplay gives just generic log information as I am used to seeing, only showing the "sudo su -" command.  Is there a feature in sudo that will allow auditing of what a user does after they "sudo su -"?  If so could you provide any guidance on the subject, maybe I am just missing a key step.

Thanks,
Justin

------------------------------
Justin Reddell
------------------------------

I've only seen logging like that in tools like PowerBroker. Sudo
only logs the command.


Original Message:
Sent: 8/19/2021 10:19:00 AM
From: Justin Reddell
Subject: Sudo Logging after sudo to a user

Hello everyone,

I have done a fair bit of research and everything I am running onto says to place log_output and log_input into the sudoers file to capture what is run after a users sudo's to another user.  It is creating the /var/log/sudo-io directory structure and sudoreplay gives just generic log information as I am used to seeing, only showing the "sudo su -" command.  Is there a feature in sudo that will allow auditing of what a user does after they "sudo su -"?  If so could you provide any guidance on the subject, maybe I am just missing a key step.

Thanks,
Justin

------------------------------
Justin Reddell
------------------------------

You need to use sudoreplay to see the logs

------------------------------
Dennis Mathews
------------------------------

Original Message:
Sent: Fri September 03, 2021 09:54 AM
From: Russell Adams
Subject: Sudo Logging after sudo to a user

I've only seen logging like that in tools like PowerBroker. Sudo
only logs the command.


Original Message:
Sent: 8/19/2021 10:19:00 AM
From: Justin Reddell
Subject: Sudo Logging after sudo to a user

Hello everyone,

I have done a fair bit of research and everything I am running onto says to place log_output and log_input into the sudoers file to capture what is run after a users sudo's to another user.  It is creating the /var/log/sudo-io directory structure and sudoreplay gives just generic log information as I am used to seeing, only showing the "sudo su -" command.  Is there a feature in sudo that will allow auditing of what a user does after they "sudo su -"?  If so could you provide any guidance on the subject, maybe I am just missing a key step.

Thanks,
Justin

------------------------------
Justin Reddell
------------------------------