sudo The command gives a user superuser or root powers. You certainly gave them the “with great power comes great responsibility” speech. Here’s how to check if they listened or not.
The sudo command
sudo command means “substitute user do”. Allows an authorized person to execute a command as if they were another user. You can take command line parameters, one of which is the name of the user you want the command to run as. The most common way
sudo used is to override the command line options and use the default action. This effectively runs the command as the root user.
sudo this way requires special permission. Only the privileged can use
sudo. When you install a modern Linux distribution, you are prompted to set a root password that you can use with
sudo. Permission to do so is granted to the normal user you create during installation. This is the preferred way to handle access to root user capabilities. The old way was to create a root user and log in as them to manage your system.
This was a dangerous scenario. It was easy to forget to log out and log back in as your regular user, or to be too lazy to do so, when you no longer needed root privileges. Any mistake you’ve made in the terminal window as root will be executed, no matter how drastic. Things that would be blocked by the shell if a normal user tried to do them would certainly be executed when prompted by root. Using the root account instead of a regular account is also a security risk.
sudo focus the mind. She’s stepping into the same dangerous waters, but she’s consciously choosing to do so and hopefully being very careful. You only invoke your superuser state when you need to do something that needs them.
If you open root access to other users, you’ll want to know that they’re being as careful with them as you are. You don’t want them to execute commands recklessly or speculatively. The health and well-being of your Linux installation depends on privileged users behaving respectfully and responsibly.
Here are several ways to monitor your root usage.
The auth.log file
Some distributions keep an authentication log in a file called “auth.log”. With the advent and rapid adoption of
systemd, removed the need for the “auth.log” file. the
systemd-journal daemon consolidates the system logs into a new binary format and
journalctl provides a way to examine or interrogate records.
If you have an “auth.log” file on your Linux computer, it will probably be in the “/var/log/” directory, although on some distributions the filename and path are “/var/log/audit/audit .Start session. “
You can open the file in
less like this. Remember to adjust the path and filename to suit your distribution, and be prepared in case your Linux doesn’t even create an authentication file.
This command worked on Ubuntu 22.04.
The log file opens and you can browse the file or use less’s built-in search functions to search for “sudo”.
Even using the search functions of
lessit may take some time to locate the
sudo tickets that interest you.
Let’s say we want to see what a user is calling
mary have used
sudo by. We can search the log file with
grep for the lines with “sudo” on them, and then pipe the output through
grep again and look for lines with “mary” in them.
Take note of the
sudo before grep Y before the log file name.
sudo grep sudo /var/log/auth.log | grep "mary"
This gives us lines that have “sudo” and “mary” in them.
We can see that the user
mary was given
sudo privileges at 3:25 p.m., and at 3:27 p.m. opens the
fstab file in an editor. That’s the kind of activity that definitely warrants a deeper dive, starting with a conversation with the user.
The preferred method in
systmdLinux-based Linux distributions is to use the
journalctl command to review the system logs.
If we pass the name of a program to
journalctl will search the registry files for entries containing references to that program. Because
sudo is a binary located in “/usr/bin/sudo” we can pass that to
-e (end of locator) indicates the option
journalctl to open the default file pager. Usually this will be
less. The screen automatically scrolls down to show the most recent entries.
sudo journalctl -e /usr/bin/sudo
The registry entries that present
sudo are listed in minus.
Use the “Right Arrow” key to scroll to the right to see the command that was used with each of the invocations of
sudo. (Or stretch your terminal window to be wider.)
And because the output is shown in
lessyou can search for text such as command names, user names, and timestamps.
RELATED: How to use journalctl to read Linux system logs
Using the GNOME Log Utility
Graphical desktop environments often include a means to review logs. We will look at the GNOME log utility. To access the logs utility, press the “Super” key to the left of the “space bar.”
Type “records” in the search field. The “Logs” icon appears.
Click the icon to launch the “Logs” application.
Clicking on the categories in the sidebar will filter the log messages by message type. To make more granular selections, click the “All” category in the sidebar, then click the magnifying glass icon in the toolbar. Enter some search text. Let’s search for “sudo”.
The list of events is filtered to show only those events related to the
sudo domain. A small gray block at the end of each line contains the number of entries in that event session. Click on a line to expand it.
We clicked on the top line to see the details of the 24 entries in that session.
With a bit of scrolling, we can see the same events that we saw when we used the
journalctl domain. User
maryunexplained editing session
fstab the file is found quickly. We could have searched for “mary”, but that would include entries other than her use of
Not everyone needs root access
Where there is a genuine and sensible requirement, give
sudo privileges to other users may make sense. Similarly, it only makes sense to check the use (or abuse) of these powers, especially right after they’ve been granted.