Sudo Shell is a wrapper to run a login shell with sudo for the purpose of session audit logging.
The sudo command provides built-in session logging. Combined with sudoreplay it provides an easy way to review session logs on a bastion host. When used as a system login shell, it will force session logging.
Another common pattern is to use the OpenSSH ForceCommand directive in sshd_config combined with the script command to log sessions. This is ineffective because the user can easily bypass it. Using sudosh provides a more secure alternative that cannot be bypassed since it does not depend on ForceCommand.
Here's how to use it in 3 easy steps. Checkout the precompiled releases if you don't want to build it yourself..
-
Enable
sudologging. Edit/etc/sudoers.d/audit-logs:Defaults log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!/sbin/reboot !log_output -
Add this command to
/etc/shells:/usr/bin/sudoshTip: to prevent users from using other shells to login, remove those shells from
/etc/shells. -
Update the user
foobarto use thesudoshshell.chsh -s /usr/bin/sudosh foobar
If you want to change the default shell from bash to something else (e.g. zsh), you can symlink sudosh to a different name.
To change the default shell to zsh, you could do:
ln -s /usr/bin/sudosh /usr/bin/sudosh.zsh
Then set the user's shell to /usr/bin/sudosh.zsh and add the shell to /etc/shells.
The sudosh utility is maintained and funded by Cloud Posse, LLC. Like it? Please let us know at hello@cloudposse.com
We love Open Source Software!
See our other projects or hire us to help build your next cloud-platform.
