Table of Contents

  1. Step 1: Enable SUDO Logging
  2. Verify

Step 1: Enable SUDO Logging

The next step in securing the system is to enable sudo logging. There are several ways to log sudo activity but the coolest way is with sudoreplay.

To enable sudo logging we will be editing the sudoers file. Before that I highly recommend using visudo to do so. For one thing you don't have to remember the fie path just type visudo. Also if there are errors in you configuration it will notify you. Visudo will be what I using in the examples.

Add the following to your sudoers file.

Defaults    log_output
Defaults!   /sbin/reboot !log_output
Defaults!   /usr/bin/sudoreplay !log_output

The above enables output logging except for sudoreplay and reboot.

Step 2: Verify

Run

sudo ls

Then

sudoreplay -l

You should see something like the following.

Oct 26 15:56:57 2017 : vagrant : TTY=/dev/pts/0 ; CWD=/var/log ; USER=root ; TSID=000001 ; COMMAND=/bin/ls
To replay sudoreplay 000001.

If a user were to sudo su the whole session could be replayed in real time, speed up, or slowed down.

Summary

Sudo logging was enabled and with that accountability for privileged commands has been established.

This is just one step in securing a system. However a bunch of little steps add up and makes a big difference.