[SGVLUG] Security/auditing and the "sudo" log

Jeremy Leader jleader at alumni.caltech.edu
Mon Mar 2 11:08:04 PST 2009 

Tom, I don't have a direct answer to your question, but some of our 
CentOS 5 (and possible CentOS 4 as well) boxes here have "logwatch" 
running on them, which monitors log files and emails a nightly summary 
of interesting content from the logs.  One of the logs it monitors is 
sudo; it reports each user who sudo'd at least once in the last day, and 
the commands they executed.  It also reports login failures via X, sshd, 
etc., as well as reporting the output of "df".

I only get emails for two boxes that I'm the only regular user of, so I 
don't know how well it scales to lots of boxes with lots of users, but 
for me it's easy to see if someone else is doing something, and roughly 
what they're doing.  However, it doesn't show what directory the command 
was run in, which means something like "sudo make install" doesn't tell 
me *what* was installed.

-- 
Jeremy Leader
jleader at alumni.caltech.edu

Emerson, Tom (*IC) wrote:
> The subject of "su" and "sudo" came up at work today, in particular the
> fact that "su" logs (at best) the fact that someone switched to a
> different ID, but not what they did as that user.  On the other hand,
> "sudo" logs each command.
> 
> I couldn't find much on the format of this log (at least, with the
> 5-minute search of google)  there is a wikipedia page with "an example",
> but that certainly isn't exhaustive; most of the other search results
> were posts to message lists like this one asking the same question (and
> getting no response, which is no help either)
> 
> Who around here uses this (religiously) AND reviews the log file on a
> regular basis - how easy is it to spot intentional attempts to do
> something potentially dangerous vs. fat-fingering a password or command?
> What actions do you take when you find a violation or possible
> "infiltrator"?
> 
> Tom
> 
> P.s. of course, I'm in a "need this info now" situation, but I'm also
> thinking this might make an intersting 15-minute presentation at our
> regular meeting.

More information about the SGVLUG mailing list