How to Restricting and Logging Sudo Access on Linux

How to Restricting and Logging Sudo Access on Linux Distro Like CentOS, RHEL, Ubuntu, Fedora, Arch Linux, OpenSuse, etc. In production environments there is necessity to trace what each admin did being logged on shared account e.g. sudo root account. Sudo command is used in Linux operating system to temporary access to the root privileges to normal users.

After typing su - or sudo su -. They must be logged to know what was done during this usage of root account. The below document describes the methods, first to restrict such sudo access and then (if granted on special request) to track down and maintain their logs on the server like Page Break Scenarios.

Restricting # prompt to Sudo user

Step-1

Login to server on which you have to give access to.

Step-2

Create normal user if not already created.

Step-3

Assign password to the user.

Step-4

Edit /etc/sudoers file or execute visudo.

Step-5

Add following line in the file:

where test is username

test  ALL=(ALL)  ALL,! /bin/su,! /bin/vi /etc/sudoers,! /usr/sbin/visudo
Step-6

Add following line at the end of file :

Defaults logfile=/var/log/sudolog

Save the changes with :wq!

Unrestricted (Full access to Sudo user) and its secondary logging

Step-1

Add following lines in /root/.bashrc

# secondary logging begin

export HISTSIZE=600000

export HISTFILESIZE=600000

export HISTTIMEFORMAT="%F %T %z "

export HISTFILE=/var/log/sudousers_historylogs/root_history-$(who am i | awk '{print $1}';exit)

export PROMPT_COMMAND='history -a'

# secondary logging end
Step-2

Create directory /var/log/sudousers_historylogs

Step-3

Now after using sudo su - or su - from e.g. test sudo user, we have a file created in /var/log/sudousers_historylogs with name root_history-test after logging out from root account. Files are being created after we type exit to logoff from sudo root account.

Step-4

Once this file is created, we will have trace of what was going on during switched to sudo root user on the servers

[root@Inde-test]#cat root_history-test

#1435037330

top

#1435037335

vi /root/

#1435037411

ls

#1435037511

reboot
Step-6

Now to decode the unique history timestamps (like 1435037511) logged in the file, simply run ‘date –d @’ followed by the timestamp you wish to decode. It will display the exact time during which the command was run on the server.

[root@inde-test sudousers_historylogs]# date -d @1435037511

Tue July 2 05:31:51 EST 2015

Which tells that “reboot” command was executed by the sudo user test on Tue July 2 05:31:51 EST 2015

Final Words

Now you have restricted sudo on your respective Linux distributions. for more support and information use the comment section below.

Hot Right Now

Related Post

COMMENTS