How to Review sudo Command Usage on Linux
Whether you are just getting started with Linux or a seasoned professional, chances are you have come across the sudo
command.
It is one of the most common and useful commands when executing commands in the Linux terminal. Although it does provide power to run operations as a root user, it can be dangerous to use the command mindlessly or leave the root sessions enabled.
In this post, you will explore the world of sudo and learn how the sudo command usage. This can allow you to track the users that invoked the sudo command.
Let us get started.
What is Sudo?
Defined as “substitue user do” or “super user do”, sudo is a Unix utility that allows a standard user to run a command or process as the root user.
By default, sudo is installed and enabled on most Linux distributions. This requires you to setup a root password during system installation. You can then use this password to run commands as the root user by the use of the sudo command.
The root user account with an ID of 0. This account has all the permissions to read, write and execute any commands on the system.
Due to such power, many Linux users argue that it is a dangerous technique to use the root account for normal operations. We are not here to argue the validity of that argument and no matter which side you stand, you will need to use sudo one time or another.
There is a lot more to the sudo account such as sudoers file, target permissions, etc. You can subscribe stay up to date when those tutorials come up.
For now, let us explore how to monitor the sudo command usage.
Method 1 - Using Journalctl
The most common method you can use to locate sudo usage entries is the journalctl
utility. Journalctl allows you to view and parse system logs. This utility is available in systemd
powered devices.
The command accepts the name of the executable whose logs you wish to determine.
Start by determining the path in which the sudo command is located:
which sudo
The command should return the path for the sudo binary as:
debian@local:~$ which sudo
/usr/bin/sudo
In this case, sudo is located in /usr/bin/sudo
.
We can then view the logs for the sudo command as:
sudo journalctl /usr/bin/sudo
The command will list all the entries related to the sudo program.
If you wish to pass the output to a page end, you can use the -e
option which will load the entries with less. This will allow you to easily navigate the entries:
sudo journalctl -e /usr/bin/sudo
Using less
you can perform actions such as search for specific patterns in the log entries.
Method 2 - Using auth.log Files
In some systems, you may not find any sudo entries in the journalctl logs. If that’s the case, you can check the auth.log file which holds authentication logs in certain distributions.
By default, the auth.log file is located in /var/log/auth.log
or /var/log/audit/audit.log
.
Keep in mind that the auth.log file is not a standard feature. As such, you can fail to find the auth.log file in the stated directories.
However, if it exists, you can view its content by catting the file as:
sudo cat /var/log/auth.log
You can use tools such as grep
to search for sudo entries as shown:
sudo cat /var/log/auth.log | grep sudo
The command should return the available entries as shown in the example output below:
Sep 29 13:00:46 db-server sudo: ubuntu : TTY=pts/1 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/cat /var/log/auth.log
You can also search for specific user entries as shown. The command below will return the entires for the ubuntu
user.
Closing
In this post, we explored two main methods of viewing the sudo command history using auth.log file and journalctl utility. Be mindful when invoking the sudo command or allowing users to have access the sudo command.
Thanks for reading. We hoped you enjoyed this post and until next time, cheers!!