Security Basics mailing list archives
Re: How to track down which commands sudoers set up?
From: Erin Carroll <amoeba () amoebazone com>
Date: Tue, 13 Jun 2006 19:09:11 +0000 (UTC)
Another variable to consider: if your sudo config isn't set up properly there are ways to escape the sudoers limitations to a root shell. This effectively bypasses the logging gains of sudo and makes tracking the information you're looking for much harder.
A common example is vi. Let's say you setup sudo to allow vi of a specific file which requires root privs. If your config isn't tight, it can allow for someone to sudo vi the root file and then use vi to open a shell. That shell would have the permissions of the process which opened it. Since vi is running as root, the shell=root. Disabling vi's ability to open a shell when vi is invoked from sudo is a Good Idea<tm>.
You may want to look into the Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html) or other forensic tools which allow for greater in-depth probing. However, most forensic tools have a steep learning curve and require a lot of time to run and analyze. Hopefully this isn't the case in regards to your particular situation and you won't need to go that far :)
-Erin Carroll Moderator, SecurityFocus pen-test list "I am magically delicious" On Tue, 13 Jun 2006, James Harless wrote:
Hmm.. You present a couple of different ideas here. I'm not sure which is the core of your issue. Your subject suggests that you're looking to track down people using 'sudo'. I don't know which version of linux you're using but, on my OpenBSD boxes, there is a file (/var/log/secure) which stores each command that someone runs with the sudo command. In the body of your message you suggest that they actually 'turned to superuser' which is typically indicative of the 'su' command. I can't offer any insight into how your particular setup logs commands run as root but, that is a cited reason for using sudo vs. su--logging. Obviously, someone can use sudo to dump the log...but, you'd see that, too (unless they're pretty clever). James On 6/13/06 8:58 AM, "Jannis Kafkoulas" <kajannis () web de> wrote:Hello, I'd like to find out what exactly any user did after they turned to superuser and when exactly each cmd was processed (in a Linux box). Can someone help me managing this? Many thanks Jannis ______________________________________________________________ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
Current thread:
- How to track down which commands sudoers set up? Jannis Kafkoulas (Jun 13)
- Re: How to track down which commands sudoers set up? James Harless (Jun 13)
- Re: How to track down which commands sudoers set up? Erin Carroll (Jun 14)
- Re: How to track down which commands sudoers set up? Isaac Perez (Jun 13)
- Re: How to track down which commands sudoers set up? Sergio Guzman Lorz (Jun 14)
- Re: How to track down which commands sudoers set up? Peter Morgan (Jun 13)
- Message not available
- Fwd: How to track down which commands sudoers set up? Stuart Howard (Jun 14)
- Message not available
- Re: How to track down which commands sudoers set up? Michael Rice (Jun 14)
- Re: How to track down which commands sudoers set up? James Harless (Jun 13)
- Re: How to track down which commands sudoers set up? Huzeyfe Onal (Jun 14)
- Re: How to track down which commands sudoers set up? jm (Jun 14)
- Re: How to track down which commands sudoers set up? ascii (Jun 14)
- Re: How to track down which commands sudoers set up? Joe Hood (Jun 14)