Sudosh and Rootsh

The reason for sudosh and rootsh is to log all commands ran in the root shell. This keeps the security people off your back and makes security audits go smother. You need to do some sudoers tweaking to make sure root is only used with the rootsh or sudosh wraper.

Rootsh is in most the repos and is a more active project but I found sudosh has a better play back.  Rootsh also logs to syslog which I don’t think sudosh2 does. Logging to syslog gives you the ability to log remotely which might be a requirement for some. Sudosh or Sudosh2 looks like a dead project but it still works with new operating systems like CentOS 6.

Quick comparison of Rootsh to sudosh2.

Features Rootsh Sudosh2
PlayBack No Yes
Logging Yes Yes
Log to syslog Yes No
RPM Yes Maybe

Some issues you might run into.

The rootsh rpm on Fedora doesn’t create /var/log/rootsh but $sudo mkdir /var/log/rootsh fixes that

Sudosh2 is that you have to remove all blank lines in /etc/sudosh.conf or you get a segmentation fault and sometimes you have to initialize LOGDIR.

Play with both and decide which is best for you. Once you decide which you like best add this helpful function to /etc/bashrc and make the necessary changes to /etc/sudoers.

Add this function to /etc/bashrc (If using rootsh replace sudosh with rootsh)

sudo () {
if [ "$1" = "su" ]; then
shift; #remove the su
if [ "$1" = "-" ]; then
shift; #remove the -
if [ "$#" = "0" ]; then
/usr/bin/sudo /usr/bin/sudosh;
else
/usr/bin/sudo -u "$@" /usr/bin/sudosh;
fi
else
if [ "$#" = "0" ]; then
/usr/bin/sudo /usr/bin/sudosh;
else
/usr/bin/sudo -u "$@" /usr/bin/sudosh;
fi
fi
else
/usr/bin/sudo "$@"
fi
}

Whats the above sudo function doing?

Once its in /etc/bashrc and sourced it it will allow you to use sudosh or rootsh without typing sudosh or rootsh everytime. In conjunction with sudo it makes  sudosh or rootsh transparent to most users.  The function basically replaces the su command with sudosh with shift.

 

Add something like this so /etc/sudoers (If using rootsh replace sudosh with rootsh)

## Substitute User
Cmnd_Alias SU = /bin/su

## Interactive shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /bin/zsh, /bin/ksh, /bin/tcsh, /bin/csh, /usr/bin/perl, /usr/bin/php, \
/usr/bin/erb, /usr/bin/ruby, /usr/bin/python, /usr/bin/screen

## Pagers
Cmnd_Alias PAGERS = /bin/more, /usr/bin/pg, /usr/bin/less, /usr/bin/vim, /usr/bin/nano, /bin/vi, /bin/view, \
/bin/awk, /usr/bin/find, /usr/bin/crontab

## Allow group wheel to run sudo on all host but not sudo su
%wheel ALL=(ALL) NOPASSWD: ALL, !SU, !SHELLS, NOPASSWD:NOEXEC: PAGERS

Digging deeper into the %wheel line.

%wheel is anyone in the wheel group
ALL=(ALL) NOPASSWD:  Allows wheel to run all commands on all host this sudoer config is on without a passwoord.
ALL, Allows all commands
The !SU and !SHELLS will stop someone from becoming root without using sudosh.
NOPASSWD:NOEXEC: PAGERS Allow wheel to run the pager group of commands but with NOEXEC so a user cant drop to a root shell. This will break crontab -e

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*


*