wiki

User Tools

Site Tools

Trace: aix_sudo
aix:aix_sudo

This is an old revision of the document!

SUDO options

##
# Override builtin defaults
##
Defaults               syslog=auth
Defaults               logfile=/var/log/sudo.log

The other way to preserve system environment variables is to use the Defaults !env_reset directive, like in sudoers: 

Defaults !env_reset

For instance, suppose sudo was stripping out the application variables DSTAGE_SUP and DSTAGE_META from one of my suodo-ised scripts. To preserve these variables, I could put the following entries in sudoers: 

Defaults env_keep += "DSTAGE_SUP"
Defaults env_keep += "DSTAGE_META"

Notice that I give the variable name and not the variable value. The values are already contained in my script like this:

export DSTAGE_SUP=/opt/dstage/dsengine; export DSTAGE_META=/opt/dstage/db2

Now when the sudo script is executed, the above environment variables are preserved. Securing the sudo path

A default PATH within sudoers can be imposed using the secure_path directive. This directive specifies where to look for binaries and commands when a user executes a sudo command. This option clearly tries to lock down specific areas where a user runs a sudo command, which is good practice. Use the following directive in sudoers, specifying the secure PATH with its search directories:

Defaults secure_path=“/usr/local/sbin:/usr/local/bin:/opt/freeware/bin:/usr/sbin”

Timeout with sudo

Sudo has a feature that uses time tickets to determine how long since the last sudo command was run. During this time period, the user can re-run the command without being prompted for the password (that's the user's own password). Once this time allotment has ended, the user is prompted for the password again to re-run the command. If the user gives the correct password, the command is executed, the ticket is then re-set, and the time clock starts all over again. The ticket feature will not work if you have NOPASSWD in the user's entry in sudoers. The default timeout is five minutes. If you wish to change the default value, simply put an entry in sudoers. For example, to set the timeout value for user “bravo” on any commands he runs to 20 minutes, you could use:

Defaults:bravo timestamp_timeout=20

Log it

All commands run as sudo are logged using syslog to /var/adm/messages using the entry in the /etc/syslog.conf file: 

*.debug   /var/adm/messages

However, I believe sudo commands should be logged to a separate file, which makes it easier to view and investigate sudo commands that have been run. Of course, this also helps with keeping an eye on failed sudo events. Create the file /var/adm/sudo.log, and then in the /etc/sudoers file, put the following entry: 

Defaults logfile=/var/adm/sudo.log
Defaults !syslog

Example to rotate mailbox 

/var/spool/mail/* 
{
           monthly
           rotate 2
           olddir /var/log/news/old
           missingok
}
aix/aix_sudo.1609532524.txt.gz · Last modified: 2021/01/01 21:22 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki