Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionChinmay Paradkar
2016-11-21 18:51:16 UTC
1. Proposed title of this feature request
Sudo to include "maxseq" & "ignore_iolog_errors" option.
2. Who is the customer behind the request?
Account name: First National Bank
Account number: 818530
TAM customer: no
SRM customer: no
Strategic: yes
3. What is the nature and description of the request?
In sudo 1.8.18 there is a new sudoers setting, ignore_iolog_errors, that will allow sudo to continue running when the I/O log cannot be written to.
4. Why does the customer need this? (List the business requirements here)
Customer require the feature for their security solution. Currently they lack proper auditing in the manner they and the auditors want. That is recorded playback like session for any shared accounts, (like root, oracle etc) where multiple unique users `sudo su -` to. The sudoreplay function addresses this need.
Unfortunately, sudoreplay can not log to a remote syslog. Therefore they need to log to a directory. The problem they have is that for security/audit reasons they deny any access to root unless it is via sudo. sudo will and can stop working when the sudoreplay is enabled and fills up the directory. The result is that sudo completely stops working. This creates business impact and service downtime which the business obviously can not afford. In such a scenario the above two features help by:
5. How would the customer like to achieve this? (List the functional requirements here)
- MaxSeq, allows one to keep a specified amount of data and rotate it, hence not filling up a FS.
- ignore_iolog_errors allows to ignore any io errors when the sudoreplay directory fills up. Or in, our case, the remote share that the sudoreplay logs are writing to is inaccessible. We would have to log to a mounted remote directory so we can centralise these logs, as sudoreplay doesn't allow logging via syslog.
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
N.A
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
N.A
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
RHEL-7.4
9. Is the sales team involved in this request and do they have any additional input?
N.A
10. List any affected packages or components.
sudo-1.8.6p7-20.el7
11. Would the customer be able to assist in testing this functionality if implemented?
Yes
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2017
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2017
1. Proposed title of this feature request Sudo to include "maxseq" & "ignore_iolog_errors" option. 2. Who is the customer behind the request? Account name: First National Bank Account number: 818530 TAM customer: no SRM customer: no Strategic: yes 3. What is the nature and description of the request? In sudo 1.8.18 there is a new sudoers setting, ignore_iolog_errors, that will allow sudo to continue running when the I/O log cannot be written to. 4. Why does the customer need this? (List the business requirements here) Customer require the feature for their security solution. Currently they lack proper auditing in the manner they and the auditors want. That is recorded playback like session for any shared accounts, (like root, oracle etc) where multiple unique users `sudo su -` to. The sudoreplay function addresses this need. Unfortunately, sudoreplay can not log to a remote syslog. Therefore they need to log to a directory. The problem they have is that for security/audit reasons they deny any access to root unless it is via sudo. sudo will and can stop working when the sudoreplay is enabled and fills up the directory. The result is that sudo completely stops working. This creates business impact and service downtime which the business obviously can not afford. In such a scenario the above two features help by: 5. How would the customer like to achieve this? (List the functional requirements here) - MaxSeq, allows one to keep a specified amount of data and rotate it, hence not filling up a FS. - ignore_iolog_errors allows to ignore any io errors when the sudoreplay directory fills up. Or in, our case, the remote share that the sudoreplay logs are writing to is inaccessible. We would have to log to a mounted remote directory so we can centralise these logs, as sudoreplay doesn't allow logging via syslog. 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. N.A 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? N.A 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? RHEL-7.4 9. Is the sales team involved in this request and do they have any additional input? N.A 10. List any affected packages or components. sudo-1.8.6p7-20.el7 11. Would the customer be able to assist in testing this functionality if implemented? Yes