https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473040#M37778 That should read:<BR /><BR />If "su -" is allowed, sudo won't know anything beyond that and won't log the shell activity. Tue, 04 Aug 2009 18:21:56 GMT Jeff_Traigle 2009-08-04T18:21:56Z https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473035#M37773 I need a suggestion. We are enabling sudo access to our servers. Does sudo offers any type of logging? How can we enable that in RHEL?<BR /><BR />I have another question. Lets say we have granted some users root access using sudo like sudo su -. Is there any way, we can monitor that user activity after he has switched to root using sudo su - Tue, 04 Aug 2009 16:11:37 GMT https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473035#M37773 Waqar Razi 2009-08-04T16:11:37Z https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473036#M37774 Shalom,<BR /><BR /><A href="http://linux.about.com/od/commands/l/blcmdl8_sudo.htm" target="_blank">http://linux.about.com/od/commands/l/blcmdl8_sudo.htm</A><BR /><BR />By default sudo logs to /var/log/messages or whatever syslog is set to.<BR /><BR />It can be configured to use its own log file.<BR /><BR />SEP Tue, 04 Aug 2009 16:22:02 GMT https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473036#M37774 Steven E. Protter 2009-08-04T16:22:02Z https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473037#M37775 Do you know how can we setup it in /etc/sudoers file? Tue, 04 Aug 2009 16:23:40 GMT https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473037#M37775 Waqar Razi 2009-08-04T16:23:40Z https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473038#M37776 I have setup /var/log/sudo.log for logging sudo activities. I have the following questions now:<BR /><BR />1- After switching to sudo root access by using sudo su -, I can see the switch in the /var/log/sudo.log file:<BR /><BR />Aug 4 13:49:40 : t-aabb : TTY=pts/1 ; PWD=/home/t-aabb ; USER=root ;<BR /> COMMAND=/bin/su -<BR /><BR />But after that, sudo.log is not logging any activities performed by user imran as root. For instance, lets say the user now issues shutdown -r now command after switching to root using sudo su -, How can I configure sudo to log these activities as well.<BR /><BR /> Tue, 04 Aug 2009 16:57:05 GMT https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473038#M37776 Waqar Razi 2009-08-04T16:57:05Z https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473039#M37777 You can't. Sudo will only log the command it allows. If "su -" is allowed, sudo won't know anything about it and won't log it. Some system command auditing is needed... preferably one that has a facility to log remotely to a system the user doesn't have the ability to potential access and modify log records. Relying on shell histories and local logs, especially when allowing a root shell, isn't very effective. :) Tue, 04 Aug 2009 18:20:37 GMT https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473039#M37777 Jeff_Traigle 2009-08-04T18:20:37Z https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473040#M37778 That should read:<BR /><BR />If "su -" is allowed, sudo won't know anything beyond that and won't log the shell activity. Tue, 04 Aug 2009 18:21:56 GMT https://community.hpe.com/t5/operating-system-linux/sudo-log/m-p/4473040#M37778 Jeff_Traigle 2009-08-04T18:21:56Z