Sudosh2 is currently at version 1.0.2

Introduction

Sudosh2 is a tool which can provide systems administrators with extensive auditing of user shell usage.

There are two distinct modes of operation for sudosh2: as a filter for sudo, and directly as a login shell. In either case, you will be able to audit user sessions by replaying them to your screen, much like a VCR.

Sudosh2 is a fork of sudosh (by Douglas Hanks). Douglas stopped updating sudosh in 2005, and my fork was created in 2007. Sudosh2 is licensed with the Open Source License v2.0.

Sudosh2 is developed as a Sourceforge project. You can find the software as well as the CVS repository, bug tracking, email list, and more at the project page.

Installing Sudosh2

Sudosh2 should compile and install easily on most Unix-like systems. It is developed on Ubuntu, and my personal usage is a mix of Red Hat Enterprise, Gentoo, and Solaris. Sudosh2 has been compiled with gcc as old as 2.95.2, and does not rely on external libraries other than your libc.

The simplest case for installing sudosh2 would look like this:

tar jxf sudosh2-[version].tar.bz2
cd sudosh2-[version]

./configure
make

sudo make install

Configuring

Once installed, sudosh2 is very easy to configure. The default configuration file is /etc/sudosh2.conf, which looks like this:

 # Sudosh Configuration File
logdir                  = /var/log/sudosh
default shell           = /bin/sh
delimiter               = -
syslog.priority         = LOG_INFO
syslog.facility	       = LOG_LOCAL2
clearenvironment   = yes 

# Allow Sudosh to execute -c arguements?  If so, what?
-c arg allow = scp
-c arg allow = rsync

A quick breakdown of the possible options:

logidr: This is where your session logs will be stored. Sudosh2 will create the dir if it does not exist, and will maintain the proper permissions on it as well.

default shell: fallback value for shell to execute if preferred shell is invalid or getusershell() does not exist

delimiter: Seperator for fields in session record filenames

syslog.priority/syslog.facility: Specify the syslog channel for sudosh2. Consult your syslog man page for acceptable values no your system. Syslog priority is also referred to as Level on some systems.

clearenvironment: By default, sudosh will clear any environment variables, keeping them from carrying through from the previous shell. If you would rather it not do this, set clearenvironment to no.

-c arg allow: This value is used when sudosh2 is set as a user's login shell. Any values you have set in this variable are acceptable commands to be executed non-interactively, such as sftp, scp, cvs, etc. Note that this must be the exact command, for example my Ubuntu system calls sftp as "/usr/lib/openssh/sftp-server". Failed commands are sent to syslog.

Using sudosh2 as a sudo shell

This is the original usage for Sudosh2. Quite simply, you use sudosh2 to sit between sudo ahd an actual shell, where it records all input and output for that session. You will want to configure sudoers.conf to allow your users to run sudosh, similar to this:

joeuser ALL= (oracle) sudosh 

Now, joeuser will use the following command to become the oracle user:

sudo -u oracle sudosh 

Using sudosh2 as a login shell

On systems which validate shells against /etc/shells, make sure you have an entry for it. Then, simply set the shell field in /etc/passwd to the full path of sudosh. See the configuration notes about "-c arg allow" to learn how to enable non-interactive sessions.

Auditing sessions with sudosh-replay

You can see a list of all sessions by calling sudosh-replay with no arguments. Each session will display the login timestamp, length of session(or -c arg if non-interactive), username, username changed to, and finally the session name. To replay a session, call sudosh-replay with the session name as your argument, optionally a speed multiplier, and optionally the maximum time to pause when the original session was idle. Here is an example:

 # sudosh-replay
Date                Duration From         To           ID
====                ======== ====         ==           ==
12/20/2007 11:30:24 9s       squash       root         squash-root-1198171824-MYZLQcJJ8mSTn5Yq
01/30/2008 17:53:28 0s       squash       root         squash-root-1201737208-qo5hQpRQ1zSgFFWg
02/18/2008 15:00:28 2s       squash       root         squash-root-1203368428-of7DLKntpnpctOFy

# sudosh-replay  squash-root-1203368428-of7DLKntpnpctOFy 1 1

This user's entire session will now be replayed, allowing you to audit their activity.