His requirement is as below...
He is in software development firm. They have Linux Boxes and his team is working on web application. He has created one master user say 'ALEXANDER'. This user is very important. This user posses all SUPERUSER rights. Means ALEXANDER can do anything on the system and this is the user they using for starting and shutting down their web application. Now my friend belongs to four member team and everybody has the password of ALEXANDER.
Which means if someone screwed up with project, no one would know who did it. Then the Blame Dance..
Everybody will blame each other. So he wants to setup his linux box such a way that whatever his team do in system, that should get logged in file.
To achieve this, there are numerous ways however I will prefer the simple one below...
So we have user ALEXANDER and four developers say SURESH,NARESH,YOGESH and NAGESH.
Note: I used UBUNTU 12.04TLS 64Bit machine to test this.
1. Change the password of ALEXANDER and do not share with anyone.
2. Now download sudosh2-1.0.4.tgz and install as instructed below
# tar zxvf sudosh2-1.0.4.tgz
# cd sudosh2-1.0.4
# CFLAGS="-D_GNU_SOURCE" ./configure
# make
# sudo make install
3. Create four users SURESH,NARESH,YOGESH and NAGESH
# sudo adduser SURESH
# sudo adduser NARESH
# sudo adduser YOGESH
# sudo adduser NAGESH
4. Create one GROUP say DEVELOPERS
# sudo groupadd DEVELOPERS
5. Add users SURESH,NARESH,YOGESH and NAGESH to Secondary Group DEVELOPERS
#sudo usermod -a -G DEVELOPERS SURESH
#sudo usermod -a -G DEVELOPERS NARESH
#sudo usermod -a -G DEVELOPERS YOGESH
#sudo usermod -a -G DEVELOPERS NAGESH
6. Open /etc/sudoers file and make below changes
Defaults env_reset
Defaults syslog=auth
Defaults>root !set_logname
Defaults log_year, logfile=/var/log/sudo.log
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Cmnd_Alias SUDOSH = /usr/local/bin/sudosh
root ALL=(ALL:ALL) ALL
%DEVELOPERS ALL=(ALEXANDER) SUDOSH
%sudo ALL=(ALL:ALL) ALL
This will enable the sudo log which can be found at /var/log/sudo.log
Allowing users /usr/local/bin/sudosh command only to use with ALEXANDER user.
Note: Be very careful with this file especially when you are in UBUNTU system. If you mess up with this file, there is no other option than rebooting the system and booting it in recovery mode to fix the file if you dont have policykit-1 installed.For safer side please install...
# sudo apt-get install policykit-1
7. That's it done! We are good to test this...
Login as SURESH or any one from DEVELOPERS group.
Once you get the prompt Enter..
# sudo -u ALEXANDER sudosh
will be asked for the SURESH passwd. provide it and you are in.
check with id command you should see ALEXANDER details.
# id
uid=1000(ALEXANDER) gid=1000(ALEXANDER) groups=1000(ALEXANDER),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)
You will find the logs at below location
Open a new session and login as ALEXANDER or a user who belongs to sudo group.
# cd /var/log/sudosh
# sudo ls -ltrh
-rw------- 1 ALEXANDER ALEXANDER 81 Oct 12 10:33 SURESH-ALEXANDER-time-1350063234-YTvv0lB4sLtImfI3
-rw------- 1 ALEXANDER ALEXANDER 196 Oct 12 10:33 SURESH-ALEXANDER-script-1350063234-YTvv0lB4sLtImfI3
Now you got two options to see this file either you use
# tailf SURESH-ALEXANDER-script-1350063234-YTvv0lB4sLtImfI3
you will get all details that to live if SURESH is still logged into ALEXANDER.
or use
# sudo sudosh-replay SURESH-ALEXANDER-script-1350063234-YTvv0lB4sLtImfI3 1 2
You will see Action Replay!
what prevents any of the developers from deleting SUDOSH logs ?
ReplyDelete.... sending syslog messages to another host w/o access for developers ...
ReplyDeletebut if you are root, you can change also syslog config ... but everything before your change is already saved on the remote-logserver
If you are pranoid pipe your syslog output to a printer (hopefully with enough paper)