How to examine the use of the sudo command in Linux
sudo The command gives a user superuser or root powers. You may have given them the “with great power comes great responsibility” speech. Here’s how to check whether they listened or not.
The sudo command
sudo The command means “replacement user made”. It allows an authorized person to execute a command as if it were another user. It can take command line parameters, one of which is the name of the user under which you want to run the command. The most common way
sudo is used is to omit the command line options and use the default action. This effectively runs the command as the root user.
sudo this way requires special permission. Only the privileged can use
sudo. When you install a modern Linux distribution, you are prompted to set up a root password which you can use with
sudo. Permission to do so is granted to the regular user you create during installation. This is the preferred method for managing access to root user functionality. The old way was to create a root user and log in as them in order to administer your system.
It was a dangerous scenario. It was easy to forget or be too lazy to log out and log back in as the regular user when you no longer needed root privileges. Any mistakes you made in the terminal window as root would be executed, no matter how drastic. Things that would be blocked by the shell if a regular user tried to do them would undoubtedly run when root asked for them. Using the root account instead of a normal account also poses a security risk.
sudo focus the mind. You are entering the same dangerous waters, but you consciously choose to do so and hopefully be very careful. You only invoke your superuser status when you need to do something that requires it.
If you open root access to other users, you want to know that they take care of them as much as you do. You don’t want them executing orders recklessly or speculatively. The health and well-being of your Linux installation depends on the respectful and responsible behavior of privileged users.
Here are several ways to monitor their root usage.
The auth.log file
Some distributions maintain an authentication log, in a file called “auth.log”. With the advent and rapid adoption of
systemd, the need for the “auth.log” file has been removed. The
systemd-journal daemon consolidates system logs into a new binary format and
journalctl allows you to review or query the logs.
If you have an “auth.log” file on your Linux machine, it will probably be in the “/var/log/” directory, although on some distros the filename and path is “/var/log/ audit/audit.Log.”
You can open the file in
less like that. Don’t forget to adjust the path and file name according to your distro and be prepared in case your Linux doesn’t even create an authentication file.
This command worked on Ubuntu 22.04.
The log file is open and you can scroll through the file or use the search functions built into less to search for “sudo”.
Even using the search functions of
lessthe location of the
sudo entries that interest you.
Let’s say we want to see what a user has called
sudo for. We can search the log file with
grep for lines containing “sudo”, then pipe the output to
grep again and look for lines containing “mary”.
sudo before grep and before the log file name.
sudo grep sudo /var/log/auth.log | grep "mary"
This gives us lines that contain “sudo” and “mary”.
We see that the user
mary has been given
sudo privileges at 3:25 p.m., and at 3:27 p.m. it opens the
fstab file in an editor. This is the type of activity that definitely warrants a deeper dive, starting with a conversation with the user.
The preferred method on
systmd-based on Linux distributions is to use the
journalctl command to examine system logs.
If we pass the name of a program to
journalctl it will search the log files for entries containing references to this program. Because
sudo is a binary located in “/usr/bin/sudo”, we can pass it to
-e (end of pager) indicates
journalctl to open the default file pager. Usually it will be
less. The display automatically scrolls down to show the most recent entries.
sudo journalctl -e /usr/bin/sudo
Journal entries that include
sudo are listed less.
Use the “RightArrow” key to scroll right to see the command that was used with each of the invocations of
sudo. (Or stretch your terminal window to make it wider.)
And because the output is displayed in
lessyou can search for text such as command names, usernames, and timestamps.
RELATED: How to use journalctl to read Linux system logs
Using the GNOME Logs Utility
Graphical desktop environments usually include a way to view logs. We are going to look at the GNOME Logs utility. To access the logs utility, press the “Super” key to the left of the “spacebar”.
Type “newspapers” in the search field. The “Logs” icon appears.
Click on the icon to launch the “Logs” application.
Click the categories in the sidebar to filter log posts by post type. To make more precise selections, click the “All” category in the sidebar, then click the magnifying glass icon in the toolbar. Enter a search text. We will search for “sudo”.
The list of events is filtered to display only events related to the
sudo ordered. A small gray block at the end of each line contains the number of entries in that event session. Click on a row to expand it.
We clicked on the top line to see the details of the 24 entries for this session.
With a little scrolling, we can see the same events we saw when we used the
journalctl ordered. User
maryunexplained editing session on the
fstab the file is quickly found. We could have searched for “marie”, but that would include entries other than her use of
Not everyone needs root access
Where there is a real and sensible requirement, give
sudo privileges to other users can make sense. Likewise, it only makes sense to check their use – or abuse – of these powers, especially right after they have received them.