Sudosh2 Server Auditing How To Use Sudosh2
How to use Sudosh2 as a sudo shell
This is the original usage for Sudosh2. Quite simply, you use sudosh2 to sit between sudo ahd an actual shell, where it records all input and output for that session. You will want to configure sudoers.conf to allow your users to run sudosh, similar to this:
joeuser ALL= (oracle) sudosh
Now, joeuser will use the following command to become the oracle user:
sudo -u oracle sudosh
How to use Sudosh2 as a login shell
On systems which validate shells against /etc/shells, make sure you have an entry for it. Then, simply set the shell field in /etc/passwd to the full path of sudosh. See the configuration notes about "-c arg allow" to learn how to enable non-interactive sessions.
How to Audit shell sessions with Sudosh-replay
You can see a list of all sessions by calling sudosh-replay with no arguments. Each session will display the login timestamp, length of session(or -c arg if non-interactive), username, username changed to, and finally the session name. To replay a session, call sudosh-replay with the session name as your argument, optionally a speed multiplier, and optionally the maximum time to pause when the original session was idle. Here is an example:
# sudosh-replay
Date Duration From To ID
==== ======== ==== == ==
12/20/2007 11:30:24 9s squash root squash-root-1198171824-MYZLQcJJ8mSTn5Yq
01/30/2008 17:53:28 0s squash root squash-root-1201737208-qo5hQpRQ1zSgFFWg
02/18/2008 15:00:28 2s squash root squash-root-1203368428-of7DLKntpnpctOFy
# sudosh-replay squash-root-1203368428-of7DLKntpnpctOFy 1 1
This user's entire session will now be replayed, allowing you to audit their activity.