Is it possible to limit remote administration accesses of an admin using Selinux?

Question

Suppose and admin needs to access a machine remotely.Root logins are disabled but he belongs to the sudoers list. I read that "sudo command" is good practice because you don't forget you are using root and also, sudo logs commands (this was the surprising part for me). I need to keep track of admin commands but the fact the he can escalate to root makes the task complicated because he can just delete the logs. I was thinking of using selinux to help me here. I know this question sounds strange but:

Is there a way to limit some accesses to an admin that belongs to the sudoers list or at least protect the logs of his actions?

The admin can only access remotely and no root access is directly allowed. I give these rules because it could be possible to limit accesses to the admin based on the shell spawned.

Kind regards

Answer 1

The thing is, if you give someone sudo privileges, they can become root with:

• sudo -i
• sudo su
• sudo sh
• sudo bash
• sudo {whatever shell they want}
• sudo vi (seriously)
• sudo python

The good thing is, you can limit sudo privileges in a semi-granular fashion. Here's the sudoers man page to elaborate on that a little more. man sudoerscan give you the same information.

Blocking access to su is a little more trivial. Here's a post on U&L that shows how to do this. Basically, you create a group called "becomeroot" and tell PAM to check if a user is in that group before allowing su. Don't add the admin to this group, and you're golden. However, they'll have the permissions to change this, because they have sudo!

You need to trust your admin, or remove sudo from them. If logging is the main concern, export the .bash_history files and log them externally. Here's another U&L post (man those guys are clever) that describes using auditdand a syslog server. Once the logs leave the box, your admin is powerless to stop it because they've already been snitched on!