Monday, April 29, 2013
Home » Unlabelled » Monitor user activity using sudo and sudosh2
Hasan Basri
1:10 PM
0 comments

Monitor user activity using sudo and sudosh2

Note: I used UBUNTU 12.04TLS 64Bit machine to test this.

1. Change the password of ALEXANDER and do not share with anyone.
2. Now download sudosh2-1.0.4.tgz and install as instructed below

# tar zxvf sudosh2-1.0.4.tgz
# cd sudosh2-1.0.4
# CFLAGS="-D_GNU_SOURCE" ./configure
# make
# sudo make install

3. Create four users SURESH,NARESH,YOGESH and NAGESH
 
# sudo adduser SURESH
# sudo adduser NARESH
# sudo adduser YOGESH
# sudo adduser NAGESH

4. Create one GROUP say DEVELOPERS

# sudo groupadd DEVELOPERS

5. Add users SURESH,NARESH,YOGESH and NAGESH to Secondary Group DEVELOPERS

#sudo usermod -a -G DEVELOPERS SURESH
#sudo usermod -a -G DEVELOPERS NARESH
#sudo usermod -a -G DEVELOPERS YOGESH
#sudo usermod -a -G DEVELOPERS NAGESH

6. Open /etc/sudoers file and make below changes

Defaults        env_reset
Defaults        syslog=auth
Defaults>root   !set_logname
Defaults        log_year, logfile=/var/log/sudo.log
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Cmnd_Alias SUDOSH = /usr/local/bin/sudosh

root    ALL=(ALL:ALL) ALL

%DEVELOPERS  ALL=(ALEXANDER) SUDOSH

%sudo   ALL=(ALL:ALL) ALL

This will enable the sudo log which can be found at /var/log/sudo.log
Allowing users /usr/local/bin/sudosh command only to use with ALEXANDER user.


Note: Be very careful with this file especially when you are in UBUNTU system. If you mess up with this file, there is no other option than rebooting the system and booting it in recovery mode to fix the file if you dont have policykit-1 installed.For safer side please install...
# sudo apt-get install policykit-1

7. That's it done! We are good to test this...
Login as SURESH or any one from DEVELOPERS group.
Once you get the prompt Enter..

# sudo -u ALEXANDER sudosh

will be asked for the SURESH passwd. provide it and you are in.

check with id command you should see ALEXANDER details.

# id  
uid=1000(ALEXANDER) gid=1000(ALEXANDER) groups=1000(ALEXANDER),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)

You will find the logs at below location
Open a new session and login as ALEXANDER or a user who belongs to sudo group.
# cd /var/log/sudosh
# sudo ls -ltrh
-rw------- 1 ALEXANDER ALEXANDER   81 Oct 12 10:33 SURESH-ALEXANDER-time-1350063234-YTvv0lB4sLtImfI3
-rw------- 1 ALEXANDER ALEXANDER  196 Oct 12 10:33 SURESH-ALEXANDER-script-1350063234-YTvv0lB4sLtImfI3

Now you got two options to see this file either you use

# tail -f SURESH-ALEXANDER-script-1350063234-YTvv0lB4sLtImfI3

you will get all details that to live if SURESH is still logged into ALEXANDER.
or use

# sudo sudosh-replay SURESH-ALEXANDER-script-1350063234-YTvv0lB4sLtImfI3 1 2

You will see Action Replay!
Posted by Hasan Basri at 1:10 PM
Share:

0 comments:

Post a Comment