Photo by the blowup on Unsplash

Save sudo logs on a remote computer

Collection Point

The sudo tool lets users run programs with any account, as long as it has been allowed explicitly up front. Administrators can thus hand control over certain areas of the system to other users. For example, you could assign someone the rights in the sudo configuration file /etc/sudoers to create, delete, or modify users on a system with the visudo statement:

visudo <foobar> ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod

If the <foobar> user now wants to execute one of these admin commands, they simply prepend the sudo command to the program to be executed. For newcomers to the world of sudo, a look at the help pages for the configuration file /etc/sudoers (man sudoers) is recommended to get an overview of how the sudo configuration can look in detail.

I/O Logging with sudo

A special feature of sudo is I/O logging, which lets you tell sudo to execute every command inside a pseudo-terminal to log all input and output. This feature is very useful if you want to create an audit trail for a user on the basis of certain compliance requirements. Previously, sudo could only store logfiles locally when generated in this way. However, since version 1.9, you can also store them on a remote machine.

To activate local logging of all inputs and outputs of a user session with visudo, add the Defaults log_output statement to the existing configuration. If a user now uses the sudo command, a new log is created for each session in the directory /var/log/sudo-io. If you prefer to store the logs in a different folder, you can specify the folder with the iolog_dir configuration option in the sudoers file. In addition to the user data, the logs also contain timestamps, so you can

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES

Print Issues

Digital Issues

 

SUBSCRIPTIONS

Print Subs

Digisubs

 

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia