sudo-io is needed to log all sudo commands executed on Linux system with the command input and output stream. This article provides a step by step instruction to configure sudo-io on a Linux system.
Topic
-
How to use Linux sudo-io?
-
How to configure sudo-io on Linux?
-
How to log all sudo command events with command input and output?
-
How to use sudoreplay command to play sudo command execution?
-
How to rotate sudo-io events?
-
sudo-io logrotation
Solution
Add the following configuration to /etc/sudoers file.
Defaults log_input, log_outputThe log_input and log_output parameters tell sudo program to run a command in pseudo-tty and log all user input and all output sent to the screen.
By default sudo-io stores all sudo events in /var/log/sudo-io directory. You can specify a custom directory through the iolog_dir parameter.
sudo-io can store unlimited sudo events if you don’t limit that. A single sudo command stores event in a single directory with 7-8 separate files.
Three sudo commands are stored in 3 separate directory.
# ls /var/log/sudo-io/00/00/
01 02 03
Each command stores command output in 7 different files.
# ls /var/log/sudo-io/00/00/01/|wc -l
7
# ls /var/log/sudo-io/00/00/02/|wc -l
7
# ls /var/log/sudo-io/00/00/03/|wc -l
7sudo-io rotation
If you don’t limit sudo-io event creation then this will kill all your inode since a single sudo command stores its output in 7-8 files. Add the following configuration to /etc/sudoers file keep last 1000 sudo command history. sudo-io will truncate the oldest command after 1000 numbers have reached.
Defaults maxseq=1000If you want to rotate sudo-io events manually, create a shell script which fulfills the following purpose:
- Create a new directory.
- Move all contents from
/var/log/sudo-iodirectory to the new directory and archive the new directory.
Replay sudo-io events
Following are the example of sudoreplay commands to analyze sudo history.
- List all sudo events
# sudoreplay -l
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000001 ; COMMAND=/bin/echo My Name 1
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000002 ; COMMAND=/bin/echo My Name 2
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000003 ; COMMAND=/bin/echo My Name 3- List all sudo events of
testuser.
# sudoreplay -l user test
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000001 ; COMMAND=/bin/echo My Name 1
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000002 ; COMMAND=/bin/echo My Name 2
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000003 ; COMMAND=/bin/echo My Name 3- List all
echocommands executed by test user account.
# sudoreplay -l user test command echo
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000001 ; COMMAND=/bin/echo My Name 1
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000002 ; COMMAND=/bin/echo My Name 2
Apr 1 11:40:11 2020 : test : TTY=/dev/pts/0 ; CWD=/home/test ; USER=root ; TSID=000003 ; COMMAND=/bin/echo My Name 3- Replay input/output of sudo command with the
TSID.
# sudoreplay 000001
Replaying sudo session: /bin/echo My Name 1
My Name 1- List sudo events from a backup directory
# sudoreplay -d /var/log/sudo-io-bkp -l|head
Apr 1 02:20:19 2020 : test : TTY=/dev/pts/1 ; CWD=/home/test ; USER=root ; TSID=000001 ; COMMAND=/bin/echo My Name 96
Apr 1 02:20:19 2020 : test : TTY=/dev/pts/1 ; CWD=/home/test ; USER=root ; TSID=000002 ; COMMAND=/bin/echo My Name 97
