NavigationRecent Updates |
Add new commentsudoshSubmitted by doug on Wed, 2006-11-15 22:15.Operating System | Security
Sudosh records all keystrokes and output and can play back the session as just like a VCR. security shell filter playback Stable sudosh is used with sudo(8) to exec the user's shell specified in /etc/passwd as root. sudosh makes use of the built-in script(5) command to log session data to syslog. Companies that have a team of system administrators and a large number of servers face a difficult problem: root access. The most common solution is to distribute the root password to the system administrators and contain them in a wheel group. With the recent requirements of Sarbanes and Oxley this becomes quickly impossible because the root password must be changed every 3 months. The other option is to use sudo. Sudo works great. It's actually too good. This is why I created sudosh. Sudo doesn't allow you to do shell type things that system administrators are used to. The following example is a real command that is used during an AIX data migration: # lsdev -Cc disk | grep SSA | awk '{print $1}' | while read disk This example is literally impossible to do with sudo unless you experiment with shell escapes and figuring out the entry and exist points of where sudo needs to exist within the command line. sudosh is very simple in design. sudosh comes in two parts: sudosh and sudoshd. sudosh is the program which you call from sudo: $ sudo sudosh In brief, sudosh creates a secure, temporary FIFO and calls the UNIX command script(5) giving the FIFO as the argument. sudosh then calls sudoshd, which is a per instance daemon that reads the FIFO and logs the output to syslog. The important note is that sudosh doesn't require a daemon running all the time. sudoshd is called on a per instance basis. If 5 users are using sudosh, there will be 5 instances of sudoshd. sudosh passes command line arguments to sudoshd so sudoshd can keep track of information such as who is the user and where is the FIFO. sudosh supports concurrent users without a problem. sudoshd comes with utilities that allow you to preview sudosh sessions and also view the detailed output of each session. Feedback, contributions, flames and developers are welcome. Thank you for reading this announcement, Trackback URL for this post:http://lopsa.org/trackback/904
add new comment | 2106 reads
Reply |
| All content on this site © 2005-2008 by each individual author, All Rights Reserved. | Thanks to Platinum sponsor |  |