RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1397169 - Sudo to include "maxseq" & "ignore_iolog_errors" option
Summary: Sudo to include "maxseq" & "ignore_iolog_errors" option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo
Version: 7.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-21 18:51 UTC by Chinmay Paradkar
Modified: 2020-09-10 09:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 17:03:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2017 0 normal SHIPPED_LIVE sudo bug fix and enhancement update 2017-08-01 18:02:36 UTC

Description Chinmay Paradkar 2016-11-21 18:51:16 UTC 
1. Proposed title of this feature request  
    Sudo to include "maxseq" & "ignore_iolog_errors" option.
      
2. Who is the customer behind the request?  
    Account name: First National Bank
    Account number: 	818530
      
    TAM customer: no 
    SRM customer: no  
    Strategic: yes  
      
3. What is the nature and description of the request?  
   In sudo 1.8.18 there is a new sudoers setting, ignore_iolog_errors, that will allow sudo to continue running when the I/O log cannot be written to.

4. Why does the customer need this? (List the business requirements here)  
      
Customer require the feature for their security solution. Currently they lack proper auditing in the manner they and the auditors want. That is recorded playback like session for any shared accounts, (like root, oracle etc) where multiple unique users `sudo su -` to. The sudoreplay function addresses this need.

Unfortunately, sudoreplay can not log to a remote syslog. Therefore they need to log to a directory. The problem they have is that for security/audit reasons they deny any access to root unless it is via sudo. sudo will and can stop working when the sudoreplay is enabled and fills up the directory. The result is that sudo completely stops working. This creates business impact and service downtime which the business obviously can not afford. In such a scenario the above two features help by:

5. How would the customer like to achieve this? (List the functional requirements here)  
- MaxSeq, allows one to keep a specified amount of data and rotate it, hence not filling up a FS.
- ignore_iolog_errors allows to ignore any io errors when the sudoreplay directory fills up. Or in, our case, the remote share that the sudoreplay logs are writing to is inaccessible. We would have to log to a mounted remote directory so we can centralise these logs, as sudoreplay doesn't allow logging via syslog.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  
N.A

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
N.A
      
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  
RHEL-7.4
     
9. Is the sales team involved in this request and do they have any additional input?  
N.A
   
10. List any affected packages or components.  
 sudo-1.8.6p7-20.el7
     
11. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 2 Tomas Sykora 2017-02-17 11:56:49 UTC 
This features will be delivered in rhel 7.4 by rebase. They're now available in testing copr build sudo-1.8.19p2-1.el7.
Comment 6 errata-xmlrpc 2017-08-01 17:03:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2017
Comment 7 errata-xmlrpc 2017-08-01 17:27:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2017
Note You need to log in before you can comment on or make changes to this bug.