Welcome to the way-back machine again. This time we are going to take a look at installing and configuring sudosh on Solaris with the purpose of using sudosh as a replacement for sudo (at least sudo to root). Using sudosh in this manner allows us to still allow users to become root, but also allows us to track each and every command that they run once they become root.
Note that there are a couple of ways to install sudosh: from source or from a package. I chose installing from a native solaris package for a couple of reasons.
- I found a package
- I would need a C compliler otherwise to compile it
- I had many systems on which to install sudosh
So the first think that I did was to install the package. Below I have dropped the package in /tmp and have gunzipped it.
# pkgadd -d ./sudosh2-1.0.2-sol10-sparc-local
Now, lets not be stupid, lets back up the sudoers file first.
# cd /usr/local/etc/
# cp sudoers sudoers.20140114
Now we can run visudo and modify the current sudoers file. First you should add the command alias below as it keeps things neat and simple.
Cmnd_Alias SUDOSH=/usr/local/bin/sudosh
Now lets referece the alias that we created above in the User Privilege Section. Rinse and repeat for any user or group that is allowed to become root.
systems ALL=(ALL) SUDOSH
Now we are going to make a modification to /usr/local/etc/sudosh.conf. Note that this step is not required. I am changing the default syslog facility used so that sudosh will log using the same facility as regular auth events.
syslog.priority = LOG_INFO
syslog.facility = LOG_AUTH
Now I am modifying my syslog.conf to ensure that all log messages of DEBUG level or higher are forwarded to my remote syslog hosts. This includes my sudosh events which have a priority of INFO. Note that spacing is very important in the solaris syslog.conf
#loghost
*.debug @loghost1
*.debug @loghost2
Since this is Solaris 10, we can restart syslog via svcadm
# svcadm restart svc:/system/system-log:default
FYI – Relevant xkcd here
Related articles
