How to check the use of the sudo command in Linux

0
37


Find related required permissions f...
Find related required permissions for a permission in Salesforce
fatmawati achmad zaenuri / Shutterstock.com

the sudo The command gives a user superuser or root powers. You certainly gave them the “with great power comes great responsibility” speech. Here’s how to check if they listened or not.

The sudo command

the sudo command means “substitute user do”. Allows an authorized person to execute a command as if they were another user. You can take command line parameters, one of which is the name of the user you want the command to run as. The most common way sudo used is to override the command line options and use the default action. This effectively runs the command as the root user.

Use sudo this way requires special permission. Only the privileged can use sudo. When you install a modern Linux distribution, you are prompted to set a root password that you can use with sudo. Permission to do so is granted to the normal user you create during installation. This is the preferred way to handle access to root user capabilities. The old way was to create a root user and log in as them to manage your system.

This was a dangerous scenario. It was easy to forget to log out and log back in as your regular user, or to be too lazy to do so, when you no longer needed root privileges. Any mistake you’ve made in the terminal window as root will be executed, no matter how drastic. Things that would be blocked by the shell if a normal user tried to do them would certainly be executed when prompted by root. Using the root account instead of a regular account is also a security risk.

Wearing sudo focus the mind. She’s stepping into the same dangerous waters, but she’s consciously choosing to do so and hopefully being very careful. You only invoke your superuser state when you need to do something that needs them.

If you open root access to other users, you’ll want to know that they’re being as careful with them as you are. You don’t want them to execute commands recklessly or speculatively. The health and well-being of your Linux installation depends on privileged users behaving respectfully and responsibly.

Here are several ways to monitor your root usage.

The auth.log file

Some distributions keep an authentication log in a file called “auth.log”. With the advent and rapid adoption of systemd, removed the need for the “auth.log” file. the systemd-journal daemon consolidates the system logs into a new binary format and journalctl provides a way to examine or interrogate records.

If you have an “auth.log” file on your Linux computer, it will probably be in the “/var/log/” directory, although on some distributions the filename and path are “/var/log/audit/audit .Start session. “

You can open the file in less like this. Remember to adjust the path and filename to suit your distribution, and be prepared in case your Linux doesn’t even create an authentication file.

This command worked on Ubuntu 22.04.

less /var/log/auth.log

Looking at the /var/log/auth.log file with less

The log file opens and you can browse the file or use less’s built-in search functions to search for “sudo”.

The content of the /var/log/auth.log file displayed in less

Even using the search functions of lessit may take some time to locate the sudo tickets that interest you.

Let’s say we want to see what a user is calling mary have used sudo by. We can search the log file with grep for the lines with “sudo” on them, and then pipe the output through grep again and look for lines with “mary” in them.

Take note of the sudo before grep Y before the log file name.

sudo grep sudo /var/log/auth.log | grep "mary"

Using grep to filter entries that mention mary and sudo

This gives us lines that have “sudo” and “mary” in them.

We can see that the user mary was given sudo privileges at 3:25 p.m., and at 3:27 p.m. opens the fstab file in an editor. That’s the kind of activity that definitely warrants a deeper dive, starting with a conversation with the user.

Using diaryctl

The preferred method in systmdLinux-based Linux distributions is to use the journalctl command to review the system logs.

If we pass the name of a program to journalctl will search the registry files for entries containing references to that program. Because sudo is a binary located in “/usr/bin/sudo” we can pass that to journactl. the -e (end of locator) indicates the option journalctl to open the default file pager. Usually this will be less. The screen automatically scrolls down to show the most recent entries.

sudo journalctl -e /usr/bin/sudo

Use journalctl to find entries that mention sudo

The registry entries that present sudo are listed in minus.

journalctl showing entries containing sudo in file viewer minus

Use the “Right Arrow” key to scroll to the right to see the command that was used with each of the invocations of sudo. (Or stretch your terminal window to be wider.)

Scroll sideways to see the commands that were used with sudo

And because the output is shown in lessyou can search for text such as command names, user names, and timestamps.

RELATED: How to use journalctl to read Linux system logs

Using the GNOME Log Utility

Graphical desktop environments often include a means to review logs. We will look at the GNOME log utility. To access the logs utility, press the “Super” key to the left of the “space bar.”

Type “records” in the search field. The “Logs” icon appears.

Click the icon to launch the “Logs” application.

The GNOME Logs application

Clicking on the categories in the sidebar will filter the log messages by message type. To make more granular selections, click the “All” category in the sidebar, then click the magnifying glass icon in the toolbar. Enter some search text. Let’s search for “sudo”.

Finding Entries Containing Sudo in the GNOME Logs Application

The list of events is filtered to show only those events related to the sudo domain. A small gray block at the end of each line contains the number of entries in that event session. Click on a line to expand it.

The gray block that contains the number of entries in a sudo session

We clicked on the top line to see the details of the 24 entries in that session.

Event details displayed in an enlarged view

With a bit of scrolling, we can see the same events that we saw when we used the journalctl domain. User maryunexplained editing session fstab the file is found quickly. We could have searched for “mary”, but that would include entries other than her use of sudo.

Not everyone needs root access

Where there is a genuine and sensible requirement, give sudo privileges to other users may make sense. Similarly, it only makes sense to check the use (or abuse) of these powers, especially right after they’ve been granted.