UNIX and Linux Auditing using sudo
How sudo auditing is setup and started:
As we all know, sudo is not an auditing tool by nature. Its core purpose is for enabling non-root users to run root commands. But sudo can be used for auditing as well, by configuring it to record the session and store it.
'sudo' comes preinstalled in Solaris 11 [sudo(1M)] and Linux [sudo(8)], and can be easily downloaded for installation in Solaris 10 via OpenCSW. (ex: pkgadd -d http://get.opencsw.org/now and /opt/csw/bin/pkgutil -i screen sudo)
What sudo can record:
sudo can record the entire interactive session by logging all the commands used, and can store the session info in a home directory or remote machine, for future viewing/auditing.
Security and audit implications:
The entire session can be replayed later in both normal and fast forward modes, using sudoreplay. This shows exactly what happened in the session and also shows who the specific user was. However, you cannot see the underlying system calls and you also do not get information about whether each command succeeded, unless there is explicit screen output that says so.
More importantly, sudo bash can be used to bypass sudo (or 'fool' the audit), so it is not entirely reliable.
When to use sudo:
This method is very effective for answer the question 'Who is using / abusing sudo'. In other words, if you have specific issue only surrounding root activity of non-root users, then sudo is effective. If you need a more holistic audit that also covers actions of normal users, you'll need to merge multiple audit sources.