[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Re: Official sudosh announcement

Hi Guys,

I like the idea of a central log host, but it isn't required.

sudosh is geared towards syslog itself and the use of local logs. 
When using sudosh each line of input and output is timestamped as in
this example:

Sep 28 19:21:50 hostname sudosh[15798]: drhx starting sudosh session
(/tmp/sudosh.xVKzYHmTUl9IeKyx
60cZ.fifo)
Sep 28 19:21:50 hostname sudoshd: drhx: 15798: Script command is
started on Tue Sep 28 19:21:50 PD
T 2004.
Sep 28 19:21:53 hostname sudoshd: drhx: 15798: # id^M
Sep 28 19:21:53 hostname sudoshd: drhx: 15798: uid=0(root)
gid=0(system) groups=2(bin),3(sys),7(se
curity),8(cron),10(audit),11(lp)^M
Sep 28 19:21:53 hostname sudoshd: drhx: 15798: # exit^M
Sep 28 19:21:53 hostname sudoshd: drhx: 15798:
Sep 28 19:21:53 hostname sudoshd: drhx: 15798: Script command is
complete on Tue Sep 28 19:21:53 P
DT 2004.
Sep 28 19:21:53 hostname sudosh[15798]: drhx closing sudosh session
(/tmp/sudosh.xVKzYHmTUl9IeKyx6
0cZ.fifo)

I know that local syslogs are UDP via /dev/log.  I know that on paper
UDP is async and is not guaranteed to be delivered.  But honestly I've
been using UNIX for nearly 10 years and I never seen /dev/log fail or
just randomly drop syslogs.

With the above example it is very easy to show to an auditor and have
supporting documentation regarding changes and such to a server.

Some people will decide to use sudo one command at a time, but I like
the idea of having a root shell.

I wouldn't want to be caught in an audit with only a shell history
file, assuming it even exists.  Shell history is no where as near as
accountable as syslog.

On Fri, 1 Oct 2004 12:27:42 -0400, Joseph S D Yao <jsdy@tux.org> wrote:
> On Fri, Oct 01, 2004 at 12:17:39PM -0400, William LeFebvre wrote:
> ...
> > Syslog does not provide dependable accountability.  Ergo, neither does sudosh.
> ...
> 
> Syslog over UDP to a remote server does not.
> 
> Would syslog to a local server + a remote server over TCP tunnelled via
> SSH/SSL be "dependable accountability" for you?  ;-)
> 
> As I think you said, the reliability of that part depends on the local
> configuration.
> 
> --
> /*********************************************************************\
> **
> ** Joe Yao                              jsdy@tux.org - Joseph S. D. Yao
> **
> \*********************************************************************/
> 



-- 
- Doug Hanks = dhanks(at)gmail(dot)com