[SGVLUG] Security/auditing and the "sudo" log
Claude Felizardo
cafelizardo at gmail.com
Mon Mar 2 13:50:37 PST 2009
On Mon, Mar 2, 2009 at 10:24 AM, Emerson, Tom (*IC)
<Tom.Emerson at wbconsultant.com> wrote:
> The subject of "su" and "sudo" came up at work today, in particular the
> fact that "su" logs (at best) the fact that someone switched to a
> different ID, but not what they did as that user. On the other hand,
> "sudo" logs each command.
>
> I couldn't find much on the format of this log (at least, with the
> 5-minute search of google) there is a wikipedia page with "an example",
> but that certainly isn't exhaustive; most of the other search results
> were posts to message lists like this one asking the same question (and
> getting no response, which is no help either)
>
> Who around here uses this (religiously) AND reviews the log file on a
> regular basis - how easy is it to spot intentional attempts to do
> something potentially dangerous vs. fat-fingering a password or command?
> What actions do you take when you find a violation or possible
> "infiltrator"?
>
> Tom
>
> P.s. of course, I'm in a "need this info now" situation, but I'm also
> thinking this might make an intersting 15-minute presentation at our
> regular meeting.
Another advantage of sudo is that you can restrict exactly what a user
can do such as allow web developers to restart one or more web
services like apache and tomcat. You don't have to give them ALL
permissions.
Claude
More information about the SGVLUG
mailing list