AIX Open Source

 View Only
Expand all | Collapse all

Setting/Sending Sudo Syslogs to Remote Server

  • 1.  Setting/Sending Sudo Syslogs to Remote Server

    Posted Fri October 23, 2020 11:14 PM
    Hello. Per our sudo healthcheck requirements, we need to send sudo syslogs to a remote qradar server.
    Here are the requirements: Sudo must be compiled with one of the following options: with-logging=both or with-logging=syslog.   And the syslog facility used must be authpriv or auth.
    Can anyone help me identify where all these settings would be made and where to add the remote server ip?  Thank you.

    ------------------------------
    Margaret Buchanan
    ------------------------------


  • 2.  RE: Setting/Sending Sudo Syslogs to Remote Server

    IBM Champion
    Posted Mon October 26, 2020 03:03 AM
    Hi,
    Not sure if this helps, I installed the vanilla sudo on AIX (from the toolbox)
    - looks like it matches your compile request:
    sudo -V | grep log
    Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --libdir=/opt/freeware/lib --mandir=/opt/freeware/man --libexecdir=/opt/freeware/libexec --with-logging=syslog --with-logfac=auth --with-pam --with-pam-login --with-env-editor --with-ignore-dot --with-aixauth --with-tty-tickets --with-ldap --with-ldap-conf-file=/opt/freeware/etc/openldap/ldap.conf
    Syslog facility if syslog is being used for logging: auth
    Syslog priority to use when user authenticates successfully: notice
    Syslog priority to use when user authenticates unsuccessfully: alert
    .....

    Added user in /etc/sudoers
    ...
    ##
    ## User privilege specification
    ##
    root ALL=(ALL) ALL
    red ALL=NOPASSWD: /usr/sbin/slibclean
    ....

    Config of /etc/syslog.conf
    ....
    # *.debug /var/log/syslog.debug100k.out rotate size 100k files 4
    # *.crit /var/log/syslog.dailycrit.out rotate time 1d
    auth.debug /var/adm/sudo.log
    auth.debug @syslog_host
    .....

    Logged in as red and ran slibclean

    cat /var/adm/sudo.log
    Oct 26 02:02:41 aix-72 auth|security:err|error sshd[16253234]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
    Oct 26 02:02:41 aix-72 auth|security:err|error sshd[16253234]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
    Oct 26 02:02:47 aix-72 auth|security:info sshd[16253234]: Accepted password for red from 118.200.50.172 port 56566 ssh2
    Oct 26 02:02:53 aix-72 auth|security:notice sudo: red : TTY=pts/1 ; PWD=/home/red ; USER=root ; COMMAND=/usr/sbin/slibclean


    Please let me know if you have further questions.
    Keep safe,

    ------------------------------
    --------------------
    Antony Steel (Red)
    ===============
    ------------------------------