1

My Chief Security Officer (CSO) want to log the activity of the privileged account (root). I know I can configure sudo to log user input (key strokes) and console/terminal output (stdout/stderr), as explained in How to log commands within a "sudo su -"?. But the content is always logged to a file locally. That file can easily be wiped by the root user !

I have enable logging in /etc/sudoers:

Defaults>root log_input, log_output
Defaults iolog_dir=/var/log/sudo-io

or equivalent

root      ALL = (ALL) LOG_INPUT: LOG_OUTPUT:      ALL

How to protect/secure the file from deletion ?

  • 1
    I think you can use a filter with syslog-ng et choose to log to a remote machine. For the filter: https://www.debian-administration.org/article/676/Isolating_sudo_messages_from_syslog and for the remote logging: https://www.monitis.com/blog/2011/09/14/logging-to-a-remote-host-with-syslog-ng – dervishe Mar 10 '16 at 22:46

2 Answers2

2

Two options:

Local logging (but the root account can wipe the files one way or another)

You can use chattr +a on the directory to make it append only. But unfortunately, this attribute is not inherited to new files and directory (What is the effect of "chattr +a" on a directory).

chattr -R +a /var/log/sudo-io

Then you can use a tool that use the kernel's inotify feature to set the append only attributes on new files and directories (See: Automatically set append attribute for newly created files/folders?). (there is probably a timing attack here)

SELinux can certainly help confining the user privileged account here ! (staff_u and sysadm_u can't access the logs)

Remote logging

Unfortunately, the layout and format of the log files makes it difficult to forward using syslog (5 files per session):

/var/log/sudo-io
/var/log/sudo-io/seq
/var/log/sudo-io/00
/var/log/sudo-io/00/00
/var/log/sudo-io/00/00/02
/var/log/sudo-io/00/00/02/stdout
/var/log/sudo-io/00/00/02/log
/var/log/sudo-io/00/00/02/timing
/var/log/sudo-io/00/00/02/stderr
/var/log/sudo-io/00/00/02/ttyout
/var/log/sudo-io/00/00/01
/var/log/sudo-io/00/00/01/stdin
/var/log/sudo-io/00/00/01/stdout
/var/log/sudo-io/00/00/01/log
/var/log/sudo-io/00/00/01/timing
/var/log/sudo-io/00/00/01/ttyin
/var/log/sudo-io/00/00/01/stderr
/var/log/sudo-io/00/00/01/ttyout

It would be easy to write the log files to a remote server by mounting the directory specified by sudo's iolog_dir to a remote server using NFS/CIFS. The NFS exported directory would need chattr + as above.

Obviously, that server should be more secure so the user can't connect to that server and erase the files there :-).

Note that sudo will refuse to run if it can't create the log files: sudo: unable to open /var/log/sudo-io/seq: Permission denied

2

Anything you will do locally, on the server, can be circumvented by an admin or hacker, who is determined. The only way to ensure the integrity of any log is to log them (or at least replicate them) to a remote syslog server. I am not going to go into the detail of how this is done as it is a very well known concept. If you are not aware, please search and read about syslog-ng. Make sure the remote syslog server, could only be accessed by the CSO's team only and not by anyone from the sysadmin team. Segregation of responsibilities is the only way to ensure against log tampering. If I were your CSO, I'd physically place the server where no operator or no sysadmin can access. Because, once you have physical access to any box, security goes out the window. My 2 cents.

MelBurslan
  • 6,966