I am able to jail specific commands execution by a proxy script to a user whose sudo privilege is only this script sodo check here for how to. Also the sodo script logs whatever critical commands they ordered:
sodo:
#!/bin/bash
# pass command by non-sudoers who can only run some command via this script
case $1 in
firewall-cmd|ip|systemctl)
#echo $*
eval $*
ret=$?
;;
*)
echo 'your request is not allowed yet, please contact the root user'
exit 1
;;
esac
if [ $ret -eq 0 ];then
echo `date +"%Y-%m-%d %X"`": executed order from" `pwd` "by pid" $$ "to" $* >> /root/sodo.log
fi
You might argue the script above does not log the exact user by $USER who runs firewall-cmd|ip|systemctl. Correct, it is because they run sodo as the root user, and $USER=root so that those 3 would allow them to run given that their sudo privilege does not include the 3.
But here is the loop hole - they can run sodo inside a python script inside some public path like var and it is impossible to pin down who runs it (who stopped the service maliciously). Now that I have recorded $$ the pid to run sodo, is it possible to trace back the parent pid's back to the login process to pin down who was the actual commander?
I figure out a way to trace back its parent user while this script is being processed - since its parent process is not dead yet and $$ can trace everything about it by ps and basic search, it is possible to log the user of its parent process, who was the real commander on this script.
