We are transitioning from shared root password to using sudo. How do I audit usage of sudo?

When I came on board, all our SAs had to memorize the root password to the systems. I felt that this was cumbersome (when someone separates from the company, we had to touch every server and change password) and insecure.

Finally got enough pull to push personal accounts with sudo access. I want to have a smooth transition so this is my initial plan:

  1. Allow SAs to perform "approved" commands without entering passwords.
  2. Every other command will require password every time you use sudo. I will audit this command and define them as "approved" if deemed necessary or prevent them from being executed if they pose a security risk.

Our user spec look like this:

%sysadmins      ALL =  PASSWD: ALL, NOPASSWD: SERVICES, FILE_READING, !/bin/su

Question: How do I have sudo audit (preferable via e-mail but logs would do) when a command configured with PASSWD is executed?


Solution 1:

Every time sudo is invoked, it logs the command executed to syslog, so I'd recommend just installing logwatch. By default, it comes with filters/aggregators for parsing out sudo entries, and it can email you daily reports.

You may need to write a custom logwatch filter to differentiate between your two different sets of commands.

If you need instant notification of sudo commands, you can use the mail output module with rsyslog. You will need to apply filters so that only sudo messages get sent to this module, lest you wake up in the morning with 10k messages in your inbox.