if someone is in interactive mode it does not audit the commands.. there is a sudoreplay program that is suppose to be able to playback a session for you. I've never used it, not sure if it works well.. maybe someone with experience using it can chime in?<br>
<a href="http://www.gratisoft.us/sudo/man/1.8.2/sudoreplay.man.html">http://www.gratisoft.us/sudo/man/1.8.2/sudoreplay.man.html</a><br><br>What I do on my systems is something like this to get a decent audit trail =><br>
<br>/etc/bash.bashrc:PS1='$STAFFID@\h [\w]# '<br>/etc/bash.bashrc:PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $STAFFID \ "$(history 1)" >> /tmp/.permanent_history'<br>
/etc/profile:STAFFID=`logname 2> /dev/null`<br>/etc/profile:export STAFFID<br><br>here is an example of someone typing shit in interactive mode....<br><br>staaj@professorx [~]# sudo -i<br>[sudo] password for staaj: <br>
root@professorx:~# echo hi friends<br>hi friends<br>root@professorx:~# tail -2 /tmp/.permanent_history <br>12674 staaj 1999 [May 21 01:45:14] grep -r STAFFID /etc/bash.bashrc /etc/profile<br>12674 staaj 2000 [May 21 01:46:07] echo hi friends<br>
root@professorx:~# <br><br><br>all admins in my production env use bash so this is for my needs, if your admins use other shells you would need to modify this for your world(s).<br><br><br><br><br><br><br><br><br><div class="gmail_quote">
On Sun, May 20, 2012 at 7:13 PM, Damon L. Chesser <span dir="ltr"><<a href="mailto:damon@damtek.com" target="_blank">damon@damtek.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Sun, 2012-05-20 at 20:27 +0000, Shawn wrote:<br>
> So why even have sudo if you use -i ?<br>
<br>
</div>Because sudo logs user foo running /usr/bin/rm -rf / or any other<br>
command. If you su to root, then you will only find user foo sudo to<br>
root, then some time later root ran /usr/bin/rm -rf, but which of the 20<br>
admins logged into your server ran that command?<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
> Sent via BlackBerry<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:simontek@gmail.com">simontek@gmail.com</a><br>
> Sender: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a><br>
> Date: Sun, 20 May 2012 19:57:31<br>
> To: Atlanta Linux Enthusiasts<<a href="mailto:ale@ale.org">ale@ale.org</a>><br>
> Reply-To: Atlanta Linux Enthusiasts <<a href="mailto:ale@ale.org">ale@ale.org</a>><br>
> Subject: Re: [ale] bash commands<br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Damon<br>
<a href="mailto:damon@damtek.com">damon@damtek.com</a><br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><b><i>- Shawn Taaj</i></b><br><br>