Two options:
Local logging (but the root account can wipe the files one way or another)
You can use chattr +a
on the directory to make it append only. But unfortunately, this attribute is not inherited to new files and directory (What is the effect of "chattr +a" on a directory).
chattr -R +a /var/log/sudo-io
Then you can use a tool that use the kernel's inotify feature to set the append only attributes on new files and directories (See: Automatically set append attribute for newly created files/folders?). (there is probably a timing attack here)
SELinux can certainly help confining the user privileged account here ! (staff_u
and sysadm_u
can't access the logs)
Remote logging
Unfortunately, the layout and format of the log files makes it difficult to forward using syslog (5 files per session):
/var/log/sudo-io
/var/log/sudo-io/seq
/var/log/sudo-io/00
/var/log/sudo-io/00/00
/var/log/sudo-io/00/00/02
/var/log/sudo-io/00/00/02/stdout
/var/log/sudo-io/00/00/02/log
/var/log/sudo-io/00/00/02/timing
/var/log/sudo-io/00/00/02/stderr
/var/log/sudo-io/00/00/02/ttyout
/var/log/sudo-io/00/00/01
/var/log/sudo-io/00/00/01/stdin
/var/log/sudo-io/00/00/01/stdout
/var/log/sudo-io/00/00/01/log
/var/log/sudo-io/00/00/01/timing
/var/log/sudo-io/00/00/01/ttyin
/var/log/sudo-io/00/00/01/stderr
/var/log/sudo-io/00/00/01/ttyout
It would be easy to write the log files to a remote server by mounting
the directory specified by sudo's iolog_dir
to a remote server using NFS/CIFS. The NFS exported directory would need chattr +
as above.
Obviously, that server should be more secure so the user can't connect to that server and erase the files there :-).
Note that sudo will refuse to run if it can't create the log files: sudo: unable to open /var/log/sudo-io/seq: Permission denied