How to examine the use of the sudo command in Linux

fatmawati achmad zaenuri/

The sudo The command gives a user superuser or root powers. You may have given them the “with great power comes great responsibility” speech. Here’s how to check whether they listened or not.

The sudo command

The sudo The command means “replacement user made”. It allows an authorized person to execute a command as if it were another user. It can take command line parameters, one of which is the name of the user under which you want to run the command. The most common way sudo is used is to omit the command line options and use the default action. This effectively runs the command as the root user.

Utilize sudo this way requires special permission. Only the privileged can use sudo. When you install a modern Linux distribution, you are prompted to set up a root password which you can use with sudo. Permission to do so is granted to the regular user you create during installation. This is the preferred method for managing access to root user functionality. The old way was to create a root user and log in as them in order to administer your system.

It was a dangerous scenario. It was easy to forget or be too lazy to log out and log back in as the regular user when you no longer needed root privileges. Any mistakes you made in the terminal window as root would be executed, no matter how drastic. Things that would be blocked by the shell if a regular user tried to do them would undoubtedly run when root asked for them. Using the root account instead of a normal account also poses a security risk.

using sudo focus the mind. You are entering the same dangerous waters, but you consciously choose to do so and hopefully be very careful. You only invoke your superuser status when you need to do something that requires it.

If you open root access to other users, you want to know that they take care of them as much as you do. You don’t want them executing orders recklessly or speculatively. The health and well-being of your Linux installation depends on the respectful and responsible behavior of privileged users.

Here are several ways to monitor their root usage.

The auth.log file

Some distributions maintain an authentication log, in a file called “auth.log”. With the advent and rapid adoption of systemd, the need for the “auth.log” file has been removed. The systemd-journal daemon consolidates system logs into a new binary format and journalctl allows you to review or query the logs.

If you have an “auth.log” file on your Linux machine, it will probably be in the “/var/log/” directory, although on some distros the filename and path is “/var/log/ audit/audit.Log.”

You can open the file in less like that. Don’t forget to adjust the path and file name according to your distro and be prepared in case your Linux doesn’t even create an authentication file.

This command worked on Ubuntu 22.04.

less /var/log/auth.log

Looking at the /var/log/auth.log file with less

The log file is open and you can scroll through the file or use the search functions built into less to search for “sudo”.

The contents of the file /var/log/auth.log displayed less

Even using the search functions of lessthe location of the sudo entries that interest you.

Let’s say we want to see what a user has called mary used sudo for. We can search the log file with grep for lines containing “sudo”, then pipe the output to grep again and look for lines containing “mary”.

Note the sudo before grep and before the log file name.

sudo grep sudo /var/log/auth.log | grep "mary"

Using grep to filter entries that mention mary and sudo

This gives us lines that contain “sudo” and “mary”.

We see that the user mary has been given sudo privileges at 3:25 p.m., and at 3:27 p.m. it opens the fstab file in an editor. This is the type of activity that definitely warrants a deeper dive, starting with a conversation with the user.

Use journalctl

The preferred method on systmd-based on Linux distributions is to use the journalctl command to examine system logs.

If we pass the name of a program to journalctl it will search the log files for entries containing references to this program. Because sudo is a binary located in “/usr/bin/sudo”, we can pass it to journactl. The -e (end of pager) indicates journalctl to open the default file pager. Usually it will be less. The display automatically scrolls down to show the most recent entries.

sudo journalctl -e /usr/bin/sudo

Using journalctl to find entries that mention sudo

Journal entries that include sudo are listed less.

journalctl showing entries containing sudo in file viewer less

Use the “RightArrow” key to scroll right to see the command that was used with each of the invocations of sudo. (Or stretch your terminal window to make it wider.)

Side scroll to see commands used with sudo

And because the output is displayed in lessyou can search for text such as command names, usernames, and timestamps.

RELATED: How to use journalctl to read Linux system logs

Using the GNOME Logs Utility

Graphical desktop environments usually include a way to view logs. We are going to look at the GNOME Logs utility. To access the logs utility, press the “Super” key to the left of the “spacebar”.

Type “newspapers” in the search field. The “Logs” icon appears.

Click on the icon to launch the “Logs” application.

The GNOME Logs app

Click the categories in the sidebar to filter log posts by post type. To make more precise selections, click the “All” category in the sidebar, then click the magnifying glass icon in the toolbar. Enter a search text. We will search for “sudo”.

Finding entries containing sudo in the GNOME Logs application

The list of events is filtered to display only events related to the sudo ordered. A small gray block at the end of each line contains the number of entries in that event session. Click on a row to expand it.

The gray block containing the number of entries in a sudo session

We clicked on the top line to see the details of the 24 entries for this session.

Event details displayed in an expanded view

With a little scrolling, we can see the same events we saw when we used the journalctl ordered. User maryunexplained editing session on the fstab the file is quickly found. We could have searched for “marie”, but that would include entries other than her use of sudo.

Not everyone needs root access

Where there is a real and sensible requirement, give sudo privileges to other users can make sense. Likewise, it only makes sense to check their use – or abuse – of these powers, especially right after they have received them.

Comments are closed.