-3

This is a question I've pondered for a long time and thought was impossible.

Is it possible to prevent administrators of a machine from bypassing the audit capabilities of sudo or doas? For instance, running sudo su - and having a root shell?

I suppose the real question is, is there a way to audit root's activity on a machine?

Improve this question
3
  • 5
    Don't add the user to the sudo group. If you have a real problem, please tell us. Otherwise the answer will only be don't give administrative rights to users that should not have administrative rights. Please also check: What is the XY Problem?
    – pLumo
    Commented Aug 9, 2021 at 5:28
  • logging root activity is done outside the box: you connect as normal and explicit user from a special host that will log all keyboard (or windows ) activities, only security team can view audit file.
    – Archemar
    Commented Aug 9, 2021 at 8:23
  • This question is too vague to give a good answer. For example one answer is don't give "someone" any access to root at all. If you want for example someone to log in as root but not have a shell (let's say to do sftp only) there are ways do to that. You can put /sbin/nologin as the shell for that user. However since we do not know what your use case is, there is no best answer.
    – Patrick Taylor
    Commented Aug 15, 2021 at 19:05

2 Answers 2

Reset to default
0

Is it possible to prevent administrators of a machine from bypassing the audit capabilities of sudo or doas?

By definition, administrators of a machine have full access to everything within the machine, so they'll also be able to stop the audit process, tamper with the audit logfiles, etc.

If you need to monitor/audit someone, don't give them root access; rather, add the user to the sudoers file, allowing them the minimum set of commands necessary to accomplish their duties.

Improve this answer
-3

We can put a plug on the root:

sudo chsh root

And put the plug: /sbin/nologin or /bin/false Necessarily with sudo.
Warning: Otherwise then we will not be able to change the settings back.

Or on my Fedora system, there is a directory for scripts that starts at login time: /etc/profile.d. Let's create a script custom.
Arrange ID verification:

if [ $UID -eq 0 ]; then
    exit
fi

ls -l /etc/profile.d/custom

-rw-r--r-- 1 root root ...

You can also delete this file with sudo and execute other commands with sudo, but you will not be able to start the shell:

sudo rm /etc/profile.d/custom
Improve this answer
1
  • 1
    This does not prevent sudo /bin/bash
    – doneal24
    Commented Aug 9, 2021 at 16:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .