xaitmrm

Sudoscriptd/sudoshell are a pair of Perl scripts that provide an audited shell using sudo If you are familiar with sudo, you might well ask "doesn't running a shell under sudo defeat the purpose of the tool?" Yes and no. One reason for running sudo is to limit what commands can be run by users. These scripts do indeed defeat that purpose. But another reason to run sudo is to maintain an audit trail of commands issued by users with root privilege. These scripts preserve that audit trail by logging all terminal output to log files.

Though giving a user an unrestricted root shell allows them to evade auditing innocently (by running an xterm for example) or maliciously (by changing the root password to give just one of way too many examples), you may have no choice but to give your users such a shell. This may be because they truly need the flexibility of a root shell, or just because they think they do and can convince their managers to let them have it. Either way, you are stuck with losing your audit trail or using something like this tool.

The Details

Sudoshell (also ss) is a small Perl script that works in conjunction with a logging daemon, sudoscriptd, to log all activity within a root shell. It uses the Unix script(1) command to create the log. Once invoked, all console commands and output are logged to a fifo. The logging daemon reads from this fifo and manages log files to store the data produced. The logs are rotated to ensure that they do not overflow the disk space on the logging partition. Sudoshell checks to see if the daemon is running and offers to start it if it is not. (It does this with sudo, so you need to have sudo access to perform this step.) Sudoshell then checks to see if it has been run with root privilege, via 'sudo sudoshell' or otherwise. If not, it reinvokes itself using sudo. The script then checks the user's SHELL environment variable. If the value of this variable doesn't match one of the shells listed in /etc/shells, sudoshell refuses to run. Next the logging fifo is checked. If it exists, sudoshell runs the script command using the fifo as the typescript. If it doesn't exist, sudoshell exits

The Really Picky Details

I have written a paper, published in the August 2002 issue of ;login, that details the experiences that led up to writing sudoscript. The paper is called "The Problem of PORCMOLSULB" and can be retrieved here as HTML or as PDF. The XML source, DTD and stylesheets are in the sudoscript distribution