Sudo is very important tool in Linux system but many people not know that default settings is not very safe for monitor what people do. When someone use sudo, the system only write in log like oh this user run this command, but they don’t show what they write inside the command. For example if bad hacker get inside server and they do sudo vi to change password file, the old log only say they run vi, not what they change inside. This is very big problem for security team if they want to make investigation because they cannot see the truth of what happen. If you want to make your server more secure, you must change this so sudo can record everything they type and everything they see on screen.
We will write configuration for sudo that record all input and output, this is call I/O logging. Also we must make the password timeout more short because default time is too long and if you leave computer someone can run sudo without password. But we must be careful because there is some settings that people think is good but actually it break everything. Many guide on internet say you must use requiretty but this is very bad advice because it break SSH connection when you try to run sudo with script. I try this before and it lock me out from my server when I try to run automated commands, so we must use use_pty instead which is more safe and not break SSH.
To do this we need to make new configuration file inside sudoers folder. Sudo has a folder where we can put extra settings without touching the main file. This is much better because if we edit the main file and make typo, sudo will stop working and we are in big trouble.
Here is step by step guide how to make this work on your Linux server.
Step 1: Write the configuration file
We will use tee command to write the new configuration file. This is very good way because we can do it in one command. We will save it in /etc/sudoers.d/50-cfg-logging. You must run this command in your terminal:
sudo tee /etc/sudoers.d/50-cfg-logging > /dev/null <<'EOF'
Defaults log_input, log_output
Defaults iolog_dir="/var/log/sudo-io/%{user}"
Defaults log_subcmds, log_exit_status
Defaults use_pty
Defaults timestamp_timeout=5
EOF
Now let me explain what each line of this configuration does because it is not good to just copy paste things from internet without knowing what they do.
The first line is Defaults log_input, log_output. This is the most important part because it tell sudo to record everything user type on keyboard and everything the program print on terminal screen. This is like video recording of the terminal session.
The second line is Defaults iolog_dir=”/var/log/sudo-io/%{user}”. This line tell sudo where to save these recording files. The %{user} part is very smart because it will make folder with the name of the user who run sudo, so if Bob run sudo, the logs go to bob folder, and if Alice run sudo, it go to alice folder. This make it very easy to find who did what.
The third line is Defaults log_subcmds, log_exit_status. This is also very good because if the user run a command that run another command inside it, sudo will record that sub-command too. It also records if the command finished with success or error code, which is very useful for debugging.
The fourth line is Defaults use_pty. This is the magic setting that make everything work without breaking. It run the command in a fake terminal (pty). Why we do this? Because it make sure the logging works good and we do not need requiretty. Do not use requiretty because if you use ssh like “ssh user@host sudo command” it will fail with error because there is no real tty. But use_pty is very nice and doesn’t break SSH.
The fifth line is Defaults timestamp_timeout=5. This mean sudo will remember your password for only 5 minutes. If you do not use sudo for 5 minutes, it will ask password again. Default is often 15 minutes which is too long because someone can steal your computer in that time.
Step 2: Check for syntax errors
This is the most important step in all Linux system administration because if you make one tiny mistake in sudoers file, sudo will break completely. If sudo is broken, you cannot use it to fix the file again. This is like locking keys inside car. So you must run this command to check if the file we made is correct:
sudo visudo -c -f /etc/sudoers.d/50-cfg-logging
This command has -c which means check only, and -f which points to our new file. If the terminal say everything is okay, then you can be happy. If it say there is syntax error, you must not log out! You must fix the file immediately or delete it.
Step 3: Test and see the logs
Now we want to test if our hard work is working. You can try to run any command with sudo. For example, run this command:
sudo cat /etc/sudoers
After you run it, sudo will make logs inside the directory we chose. You can go to /var/log/sudo-io/ and look inside. You will see some folder with your username. Inside there are files with weird names. These are the log files. But you cannot read them with normal cat command because they are saved in special format.
Step 4: Replay the session with sudoreplay
To read the logs and see what the user did, Linux has a special tool call sudoreplay. It can play the session like a video. To do this, you first need to find the ID of the session. You can see the list of logs in the directory. When you have the ID, you can run this command to play it:
sudo sudoreplay TS_ID
You must change TS_ID with the real folder name or ID of the log. This command will show you exactly what the user typed and what they saw, at the same speed they did it. It is very cool and very helpful when someone make mistake on server and you want to see what they did exactly.
I want to talk more about why requiretty is very bad. When I was learning Linux, I read some blog that say “always use requiretty for security”. I copy that and put in my server. Then my automatic backup script that run from my home PC using ssh stop working. It say “sudo: sorry, you must have a tty to run sudo”. I was very confused and angry. I research for many hours and found out that requiretty is old and deprecated. The sudo developers even say do not use it anymore. But use_pty is modern and it gives you all the security because it forces a pseudo-terminal for the command, so the I/O logging can capture everything anyway. This is much better way.
Also about the timestamp_timeout. Some people like to set it to 0. If you set it to 0, sudo will ask password every single time you run it. This is very secure but it is also very annoying if you have to run many commands. I think 5 minutes is good balance because it is not too short to make you crazy, but not too long to be dangerous. If you leave your desk to get coffee, 5 minutes is fast enough that your friend cannot run bad commands on your laptop.
Let talk about where the logs are saved. The directory /var/log/sudo-io must be protected. Normal users must not be able to read this folder because if they can read it, they can see secret things that other people typed. Only root user should have permission to read this folder. Sudo usually sets correct permission automatically, but you should double check with ls -l command. The permission should be very restricted.
If you have many servers, saving logs locally on the machine can be a problem if a hacker gains full root access. Because if they are root, they can just delete the files in /var/log/sudo-io/ to hide their tracks. For very high security, some people send these logs to a central log server, but that is more complicated. For simple server, local logging is still much better than nothing, because most mistakes are made by junior administrators or simple scripts, not super hackers who delete all logs.
In conclusion, changing sudo default settings is very easy and makes your server much more safe. By recording what people type and what they see, you can always know what happened when there is a problem. Just remember to always test with visudo -c so you do not lock yourself out, and do not use requiretty because it is old and breaks SSH scripts. Using use_pty is the modern way to do it.